Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
0
Helpful
3
Replies

AnyConnect's ISE Posture showing Old Policy Server's FQDN?

Matthew Martin
Level 5
Level 5

‎03-27-2018 11:12 AM - edited ‎02-21-2020 10:52 AM

Hello All,

 

2 Weekends ago we upgraded our ISE Servers from 2.0 to 2.3.

Prior to the upgrade I had to modify the Hostnames of the 2 ISE Servers. Because of the change, each client's "ConnectionData.xml" file was still showing the old Policy Node's Hostname. So I modified one ConnnectionData.xml file to show the 2 new FQDNs of the Policy Nodes. Then, we pushed this new XML config file with PDQ to all client machines.

*FYI, I already have new Certs on both of the ISE servers for their new hostnames which were signed by our Internal Windows CA Server...

 

One of the Windows 7 PCs that this was pushed to, is still showing the Policy Server's OLD hostname in the System Scan tab of the AnyConnect settings window, even though the ConnectionData.xml file is showing the correct hostname.

 

I've tried starting and stopping each of the AnyConnect services for all the modules, including the ISE Posture Module. When that didn't work, I rebooted... Even after the Reboot I am still getting the pop-up error message from AnyConnect that shows the Security Warning that the cert doesn't match the Hostname. Since the ConnectionData.xml file is showing the correct hostname, I'm not sure why the Security Warning message is still displaying the old hostname..? Screenshot below...

 

AnyConnect_Security_Warning.png

 

 

It almost seems as though its getting the hostname from a cached config file somewhere on this PC. But, I'm not sure where else the PSN's Hostname would be defined, other then ConnectionData.xml?

 

Any thoughts or suggestions would be greatly appreciated!

 

Thanks in Advance,

Matt

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎03-27-2018 12:01 PM

Hi,
Does the ISEPostureCFG.xml file contain the old server fqdn?
C:\ProgramData\Cisco\CiscoAnyConnect Secure Mobility Client\ISE Posture\ISEPostureCFG.xml
0 Helpful

Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎03-27-2018 12:35 PM

Thanks for the reply.

No, that file doesn't contain any ISE Server hostnames in it. What XML Tag would that be under?

The only thing in there that shows domain, is the "ServerNameRules", which is just set to *.ourdomain.com...

-Matt
0 Helpful

Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎04-04-2018 08:52 AM

Is the PSN address/hostname supposed to be configured in the "ISEPostureCFG.xml" file somewhere? We've had ISE and AnyConnect in place for about 1.5-2 years and the PSN address hasn't been in that file, as far as I know...

-Matt
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents