10-15-2018 05:58 AM
Hi Experts,
Test environment:
ISE 2.3 patch 3
HP Comware switch: Version 7.1.070, Release 3208P03
I am seeing this very weird behavior with AnyConnect.
We are using an ACL for posture redirection, so here when I have these two statements:
rule 135 deny tcp destination-port eq 443
rule 140 deny tcp destination-port eq www
AnyConnect says that, its failed to launch downloader
But when I change them to:
rule 135 permit tcp destination-port eq 443
rule 140 permit tcp destination-port eq www
AnyConnect says, no policy server detected
Any idea why this could be happening?
Following is the complete ACL:
[NAC-5130-2]display acl 3003
Advanced IPv4 ACL 3003, 29 rules,
ACL's step is 5, start ID is 0
rule 0 permit ip destination <ISE Server> 0
rule 5 permit udp destination-port eq dns
rule 10 permit udp source-port eq bootpc destination-port eq bootps
rule 15 permit udp source-port eq bootps destination-port eq bootpc
rule 20 permit tcp destination-port eq 2967
rule 25 permit tcp source-port eq 2967
rule 30 permit tcp destination-port eq 7070
rule 35 permit tcp source-port eq 7070
rule 40 permit ip destination <AV Server> 0
rule 45 permit tcp destination <AV Server> 0 destination-port eq 443
rule 50 permit tcp destination <AV Server> 0 destination-port eq www
rule 55 permit tcp destination <AV Server> 0 destination-port eq 443
rule 60 permit tcp destination <AV Server> 0 destination-port eq www
rule 65 permit tcp destination <AV Server> destination-port eq 443
rule 70 permit tcp destination <AV Server> destination-port eq www
rule 75 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 80 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 85 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 90 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 95 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 100 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 105 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 110 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 115 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 120 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 125 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 130 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 135 deny tcp destination-port eq www
rule 140 deny tcp destination-port eq 443
Solved! Go to Solution.
10-22-2018 08:01 AM
10-23-2018 02:51 AM
Thanks for the response.
Yes, the customer is aware of the implications and issues pertaining this use case.
There is this another issue I am seeing, I have opened a new thread for the same, where when the user clicks on download link for AnyConnect, a blank page is presented.
I checked for the page source and saw that there is nothing in the URL which sends for downloading AnyConnect client, as below:
01-27-2021 01:32 AM
Hi,
I working on same problem:
My DACL:
permit udp any any eq 53
permit udp any any eq bootps
permit tcp any host 10.71.0.1 eq 80
permit tcp any host 72.163.1.80 eq 80
permit tcp any host 10.70.0.100 eq 80
permit tcp any host 10.70.0.100 eq 443
permit tcp any host 10.70.0.100 eq 8443
permit tcp any host 10.70.0.100 eq 8905
deny ip any any
Whare 10.70.0.100 is Cisco ise PSN.
my Redirect ACL in NAD is :
ip access-list extended POSTURE
permit tcp any host 10.71.0.1 eq www
permit tcp any host 10.71.0.1 eq 443
permit tcp any host 10.70.0.1 eq www
permit tcp any host 10.70.0.1 eq 443
permit tcp any host 72.163.1.80 eq www
permit tcp any host 72.163.1.80 eq 443
deny ip any any
I dont have DNS for enroll.cisco.com because i dont uderstand who ip adress must to resolve ?
72.163.1.80 or PSN ?
Thank you !
01-27-2021 02:46 AM
the REDIRECT ACL should look like:
Extended IP access list REDIRECT_POSTURE
10 deny ip any host <PSN>
20 deny udp any any eq domain
30 deny icmp any any
40 permit tcp any any eq www
50 permit tcp any any eq 443
Note: the enroll.cisco.com is the second probe of an HTTP GET /auth/discovery. This FQDN has to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com needs to be routed through the tunnel.
Hope this helps !!!
10-16-2018 04:52 AM
Hi,
Could you share Authorization Profile what you have configured ?
Also could you please try putting FQDN in the TAB which is below to Web Redirection.
One more thing you can try, copy complete URL which you will find at "Attribut Details" and put into your browser and check whether its redirecting or not, Please share the output.
Sajid
10-17-2018 12:10 AM
10-25-2018 10:37 AM
Can you post your current posture redirect ACL that is configured on the switch in its entirety?
10-25-2018 01:19 PM
This also looks the same issue as
Solved: Re: AnyConnect blank page when clicking... - Cisco Community
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide