cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
0
Helpful
6
Replies

ASA VPN posture and ISE

devvv85
Level 1
Level 1

Hi Experts,

 

I am testing ASA VPN posture with ISE. Below are the details and my query:

 

ASA version: 9.8.2.39

ISE version: 2.3 patch 3

 

During testing, I found that the endpoint is getting postured correctly and endpoint is getting final access. However, on live logs I cannot see the final "compliant" policy being hit.

 

On CoA logs, I can see the compliant AuthZ profile being hit. However, actual compliant policy is not seen. 

 

Please see attached file. The test_VPN_profile is the final compliant Authz profile. However, I cannot see the policy.

 

Would appreciate your reply.

 

1 Accepted Solution

Accepted Solutions

Hi Nidhi/Thomas,

 

Thank you for your help. Worked with TAC and the behavior is expected.

All the attributes are sent in CoA itself, so final compliant policy is not seen.

 

Thanks again!!

View solution in original post

6 Replies 6

Jeffrey Jones
Level 5
Level 5
What version of the anyconnect client are you using?

Are the users connecting ?

Jeff

Hi Jeff,

Yes, users are able to connect without any issue. Everything is working fine. 

It is just that after the CoA log, I cannot see final compliant policy in live logs. Not sure if this is expected behavior.

 

I am using 4.5.04029 AnyConnect version.

 

Thanks!

Nidhi
Cisco Employee
Cisco Employee

The live logs and live sessions should show the compliant policy hit. 

If everything is configured correctly and you also see the dACL applied in switch, need to look at the detail debug logs to check if anything is missing. Please work with TAC to debug this. 

 

Thanks,

Nidhi

Nidhi
Cisco Employee
Cisco Employee

The live logs and live sessions should show the compliant policy hit. 

If everything is configured correctly and you also see the dACL applied in switch, need to look at the detail debug logs to check if anything is missing. Please work with TAC to debug this. 

 

Thanks,

Nidhi

thomas
Cisco Employee
Cisco Employee

Try following this guide and see if you missed any steps:

Hi Nidhi/Thomas,

 

Thank you for your help. Worked with TAC and the behavior is expected.

All the attributes are sent in CoA itself, so final compliant policy is not seen.

 

Thanks again!!