Solved: Can postured session resume after PSN reboot?

chunhwon · ‎02-19-2018

Hi All,

Need your helping hands on the following:

Background info:

The ISE 2.1 was deployed in distributed environment, the successful postured PC sessions were kept by PSNs. However, the PSN is rebooted after applied the patch and all of the existing sessions are removed, all of the re-assessment reports sending to PSN will be dropped by PSN. Finally, all of the agent – Cisco AnyConnect will show “No policy server”.

Workaround:

The disconnected PCs have to reboot or shut/no shut the switch ports to trigger CoA to perform the posture again.

Things to be clarified:

Will the ISE server possible to resume the session by sending the re-assessment to ISE’s PSN if no reboot or CoA on PC? In fact we have multiple PSN but seems that session based HA is not available in ISE 2.1, will it be supported in future release?
Also, is it possible to run the report proactively to find out the disconnected PCs which prompted “No policy server” on AnyConnect agent? Customer need to know which PC/agent run into this situation after PSN reboot for remediation.

Many thanks,
CH

Nidhi · ‎02-20-2018

Hi CH,

This is the response I got from the team.

" The node group thing helps only for the sessions still in pending state "

I would suggest reach out to PM to check if this is in the roadmap.

Thanks,

Nidhi

View solution in original post

Nidhi · ‎02-19-2018

You can place PSNs as part of node groups.

So , If a PSN holding the url-redirect session goes down, another PSN of the same node group sends change of authorization to the NAD, so that the endpoint can restart the session with the new PSN.

For your second query - I do not think this kind of report is achievable today.

Thanks,

Nidhi

chunhwon · ‎02-19-2018

Hi Nidhi,

Thanks for your reply.

It seems that in our current setup and testing based on ISE 2.1, we observed that PSN of the same group didn’t send CoA to NAD (Cisco switches here) when PSN holding the authenticated/postured session is down. In fact we have opened a SR to TAC who also responded that there is no way to resolve “No policy server” shown in endpoint without rebooting the PC or shut/no shut the switch port.

Just wonder if anything we have missed or special configuration on ISE required?

Thanks in advanced.

CH

Nidhi · ‎02-20-2018

Hi CH,

This is the response I got from the team.

" The node group thing helps only for the sessions still in pending state "

I would suggest reach out to PM to check if this is in the roadmap.

Thanks,

Nidhi

chunhwon · ‎03-02-2018

HI Nidhi,

any recommended workaround applicable to this case? i have reached out to PM and seems that it's roadmapping but not committed yet.

thanks in advance

CH

Nidhi · ‎03-05-2018

Hi CH,

The only option today is rebooting or re authenticating the endpoint .

Nidhi

chunhwon · ‎03-05-2018

Hi Nidhi,

Instead of asking the end users to do so, can we identify those affected users in ISE and then centrally instruct the authentication and posture again?

Many thanks,

CH

Jason Kunst · ‎03-17-2018

How about setting a lower re-authentication radius timer, every 8 hours perhaps? If the session is invalid due to the PSN being gone then it will restart on a new PSN.

hslai · ‎03-17-2018

Per Imran, one of the new features in AnyConnect 4.6 will help. Since ISE 2.4 beta is closed, best to wait for FCS to try out both ISE 2.4 and AC 4.6.

chunhwon · ‎03-19-2018

Hi,

Does it require new features development in Anyconnect and ISE? Any more details can share with us?

Many thanks,

CH

hslai · ‎03-19-2018

We discussed it with our engineering team earlier today and found such PRA use cases still not handled unfortunately.

Please try what Jason suggested in setting up a periodic re-auth.

Jason Kunst · ‎03-20-2018

The next release will not help with this please reach out to account team

I would suggest trying setting radius reauth every 8 hours to kick a new session if this scenario were to happen then the session should fail and try new session to new psn

Otherwise user will need to manually disconnect reconnect

chunhwon · ‎03-19-2018

Hi Jason,

Thanks for your reply. Based on our observation, an endpoint successfully authenticated and postured against PSN#1 and do re-assessement every 1 hr, when the PSN#1 reboots, the endpoint keeps on sending reporting message to PSN#1 but didn’t do any failover. As the PSN#1 resume, it will simply ignore the reporting message from the endpoint due to no session entry available in PSN#1, this endpoint is able to connect to the network all the way but shows “No policy server” in Anyconnect tray. We have opened a TAC case for this and it’s confirmed to be an expected behaviour and no workaround.

I just wanna seek collective wisdom here to see any good suggestions from the field who have also deployed ISE + Anyconnect like this.

Many thanks,

CH

Jason Kunst · ‎03-20-2018

Also would suggest contacting our pms for future enhancements

People in the field will respond here if they have another experience as well as they should be seeing them if subscribed