cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
3
Replies

AnyConnect not profiling

Greetings,

Running into an odd issue on only a couple devices. Basically AnyConnect either says it can't find a profile server, or that posture is not needed, but on the ISE side, it's pending posture. I've checked that windows firewall is off and I can ping the ISE, so not sure what the issue is. So far this is only 2 of about 200 devices so a small sample.

Anyone run into this and have any suggestions?

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Please produce a DART file and open a tac case so they can be analyzed

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

Please produce a DART file and open a tac case so they can be analyzed

There are cases where AC agent and ISE can be out of sync in terms of posture status.

One such case of ISE pending and AC unaware of non-compliance is highlighted in CSCuw93919.  For example, ISE sends a CoA reauth, but AC does not detect change in status so does not re-trigger Posture Discovery/Assessment. 

For case where AC cannot find posture server, verify that ISE has assigned a posture redirect (CPP) authorization which will cause packets to be redirected to current PSN owning RADIUS session.

/Craig

We found the user had loaded some VPN client from the net and it was causing the issue. Once they uninstalled it, AnyConnect started working correctly.

As for the second, once we got the laptop, we were able to log in and all worked correctly, so just chalking that up to an ID-10-T error