Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
1
Replies

ASA RA User Authorization via ISE AuthZ Policy with IN-ACL

Go to solution
kumardilip
Level 1
Level 1

‎03-25-2020 09:49 PM

Hello Community Experts,

 

We are seeing a strange problem in our environment where we authenticate Remote Access VPN users on our ASA via Cisco ISE. The Cisco ISE authorization policies have a group of IN-ACL authorization profiles. When the number of combined ACL entries that are returned to the ASA by ISE goes beyond 66, the user gets a Login Failed error on AnyConnect VPN. Reducing the number back to 66 solves the problem.

 

### ASA Details ###

Cisco Adaptive Security Appliance Software Version 9.10(1)27

Firepower Extensible Operating System Version 2.4(1.248)

Device Manager Version 7.10(1)

System image file is "disk0:/asa9-10-1-27-smp-k8.bin"

 

Hardware:   ASA5555, 16384 MB RAM, CPU Lynnfield 2800 MHz, 1 CPU (8 cores)

            ASA: 8560 MB RAM, 1 CPU (2 cores)

Internal ATA Compact Flash, 8192MB

 

### ISE Details ###

Version - 2.6.0.156
Installed Patches - 3
Product Identifier (PID) - ISE-VM-K9
Version Identifier (VID) - V01
ADE-OS Version - 3.0.5.144

 

### ISE Authorization Policy ###

Screenshot 2020-03-26 at 12.46.39 PM.png

 

### ISE Authorization Profile with IN-ACL Entries ###

Screenshot 2020-03-26 at 12.47.56 PM.png

 

I appreciate all the help. Thank you!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎03-26-2020 09:11 AM

First thing right away is you can adjust your ACL to consolidate some of those lines as follows:

permit ip any 10.1.32.0 255.255.224.0 - will cover 10.1.32.0 thru 10.1.63.0

That would save you 32 lines.  There is probably a limit on the number of entries for your hardware/software.  You can verify with TAC.  But when a device is unable to apply a particular security policy like dACL, it should deny the connection.  That is why you are seeing failures and disconnects when using more than 66 entries. 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎03-26-2020 09:11 AM

First thing right away is you can adjust your ACL to consolidate some of those lines as follows:

permit ip any 10.1.32.0 255.255.224.0 - will cover 10.1.32.0 thru 10.1.63.0

That would save you 32 lines.  There is probably a limit on the number of entries for your hardware/software.  You can verify with TAC.  But when a device is unable to apply a particular security policy like dACL, it should deny the connection.  That is why you are seeing failures and disconnects when using more than 66 entries. 

0 Helpful
Customers Also Viewed These Support Documents