cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3270
Views
0
Helpful
5
Replies
nikhilcherian
Contributor

anyconnect vpn client showing compliant, but not inISE

In my setup, I have ASA Version 9.6(4)8 & ISE 2.2 patch 8. When I try for VPN posturing, I see the below

 

  1. Client connect to the VPN
  2. Client goes thru the Auth ( i have created internal users for VPN)
  3. Client is moved to posture unknown state
  4. ISE pushes the ISEPostureCFG.xml to the client. 
  5. I have given any AV install check & any AV update check
  6. If my AV is not updated, I get the warning
  7. If there is no compliance module in the laptop, ISE pushes the posture module
  8. My windows client validates the posture conditions.
  9. anyconnect shows posture compliant
  10. However in ISE client is still stuck in the posture-compliant state & client keeps redirecting to the ISE if open a browser
  11. I am using anyconnect-4.5.04029
  12. I have enabled dynamic authorization in the ASA  & I can see "coa-push=true" in the Cisco AV  pair in ISE
  13. In the ASA, client is still seen with the REDIRECT ACL

How can I troubleshoot the issue

Thanks

Nikhil

5 REPLIES 5
balaji.bandi
VIP Master

There is good example and step by step guides available here :

 

https://www.cisco.com/c/en/us/support/security/identity-services-engine-2-2/model.html#ConfigurationExamplesandTechNotes

 

May be you have already looked at them(if so ignore it)

 

There is good guide posture check with step by step logs to verify.

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

RichardAtkin
Participant

You say the Client is still stuck doing Posture in ISE, even after the Client passes the checks?

Does ISE receive a Posture Report from the Client? I would guess not - can you check your ACLs / FW rules to ensure you have all the ports and protocols things open?
Timothy Abbott
Cisco Employee

Verify the endpoint is matching the proper authorization rule after CoA is sent to the ASA. It could be that the endpoint is matching a provisioning rule instead of a compliant rule. If not, I suggest opening a TAC case to troubleshoot further.

Regards,
-Tim
misinsuan2229
Beginner

Was this resolve? I am also getting similar issues on random VPN clients which is having ISE posture requirement. This issue is intermittent on our side and not all is getting the issue.

Hi Team,

I have also faced the same issues on posturing. As per my experience please check the below.

* check radius request and posturing request are coming on the same PSN.

* check COA between ISE and ASA

* Check the port 8443 is open or not from client to ISE.

* check enroll.cisco.com is resolved from ASA.

For your reference : https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel