03-25-2020 09:49 PM
Hello Community Experts,
We are seeing a strange problem in our environment where we authenticate Remote Access VPN users on our ASA via Cisco ISE. The Cisco ISE authorization policies have a group of IN-ACL authorization profiles. When the number of combined ACL entries that are returned to the ASA by ISE goes beyond 66, the user gets a Login Failed error on AnyConnect VPN. Reducing the number back to 66 solves the problem.
### ASA Details ###
Cisco Adaptive Security Appliance Software Version 9.10(1)27
Firepower Extensible Operating System Version 2.4(1.248)
Device Manager Version 7.10(1)
System image file is "disk0:/asa9-10-1-27-smp-k8.bin"
Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2800 MHz, 1 CPU (8 cores)
ASA: 8560 MB RAM, 1 CPU (2 cores)
Internal ATA Compact Flash, 8192MB
### ISE Details ###
### ISE Authorization Policy ###
### ISE Authorization Profile with IN-ACL Entries ###
I appreciate all the help. Thank you!
Solved! Go to Solution.
03-26-2020 09:11 AM
First thing right away is you can adjust your ACL to consolidate some of those lines as follows:
permit ip any 10.1.32.0 255.255.224.0 - will cover 10.1.32.0 thru 10.1.63.0
That would save you 32 lines. There is probably a limit on the number of entries for your hardware/software. You can verify with TAC. But when a device is unable to apply a particular security policy like dACL, it should deny the connection. That is why you are seeing failures and disconnects when using more than 66 entries.
03-26-2020 09:11 AM
First thing right away is you can adjust your ACL to consolidate some of those lines as follows:
permit ip any 10.1.32.0 255.255.224.0 - will cover 10.1.32.0 thru 10.1.63.0
That would save you 32 lines. There is probably a limit on the number of entries for your hardware/software. You can verify with TAC. But when a device is unable to apply a particular security policy like dACL, it should deny the connection. That is why you are seeing failures and disconnects when using more than 66 entries.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide