02-19-2018 07:27 PM
Hi All,
Need your helping hands on the following:
Background info:
The ISE 2.1 was deployed in distributed environment, the successful postured PC sessions were kept by PSNs. However, the PSN is rebooted after applied the patch and all of the existing sessions are removed, all of the re-assessment reports sending to PSN will be dropped by PSN. Finally, all of the agent – Cisco AnyConnect will show “No policy server”.
Workaround:
The disconnected PCs have to reboot or shut/no shut the switch ports to trigger CoA to perform the posture again.
Things to be clarified:
Many thanks,
CH
Solved! Go to Solution.
02-20-2018 09:10 PM
Hi CH,
This is the response I got from the team.
" The node group thing helps only for the sessions still in pending state "
I would suggest reach out to PM to check if this is in the roadmap.
Thanks,
Nidhi
02-19-2018 08:46 PM
You can place PSNs as part of node groups.
So , If a PSN holding the url-redirect session goes down, another PSN of the same node group sends change of authorization to the NAD, so that the endpoint can restart the session with the new PSN.
For your second query - I do not think this kind of report is achievable today.
Thanks,
Nidhi
02-19-2018 09:39 PM
Hi Nidhi,
Thanks for your reply.
It seems that in our current setup and testing based on ISE 2.1, we observed that PSN of the same group didn’t send CoA to NAD (Cisco switches here) when PSN holding the authenticated/postured session is down. In fact we have opened a SR to TAC who also responded that there is no way to resolve “No policy server” shown in endpoint without rebooting the PC or shut/no shut the switch port.
Just wonder if anything we have missed or special configuration on ISE required?
Thanks in advanced.
CH
02-20-2018 09:10 PM
Hi CH,
This is the response I got from the team.
" The node group thing helps only for the sessions still in pending state "
I would suggest reach out to PM to check if this is in the roadmap.
Thanks,
Nidhi
03-02-2018 08:07 PM
HI Nidhi,
any recommended workaround applicable to this case? i have reached out to PM and seems that it's roadmapping but not committed yet.
thanks in advance
CH
03-05-2018 05:46 PM
Hi CH,
The only option today is rebooting or re authenticating the endpoint .
Nidhi
03-05-2018 05:57 PM
Hi Nidhi,
Instead of asking the end users to do so, can we identify those affected users in ISE and then centrally instruct the authentication and posture again?
Many thanks,
CH
03-17-2018 08:47 AM
How about setting a lower re-authentication radius timer, every 8 hours perhaps? If the session is invalid due to the PSN being gone then it will restart on a new PSN.
03-17-2018 01:56 PM
Per Imran, one of the new features in AnyConnect 4.6 will help. Since ISE 2.4 beta is closed, best to wait for FCS to try out both ISE 2.4 and AC 4.6.
03-19-2018 07:51 PM
Hi,
Does it require new features development in Anyconnect and ISE? Any more details can share with us?
Many thanks,
CH
03-19-2018 07:59 PM
We discussed it with our engineering team earlier today and found such PRA use cases still not handled unfortunately.
Please try what Jason suggested in setting up a periodic re-auth.
03-20-2018 05:23 AM
The next release will not help with this please reach out to account team
I would suggest trying setting radius reauth every 8 hours to kick a new session if this scenario were to happen then the session should fail and try new session to new psn
Otherwise user will need to manually disconnect reconnect
03-19-2018 08:14 PM
Hi Jason,
Thanks for your reply. Based on our observation, an endpoint successfully authenticated and postured against PSN#1 and do re-assessement every 1 hr, when the PSN#1 reboots, the endpoint keeps on sending reporting message to PSN#1 but didn’t do any failover. As the PSN#1 resume, it will simply ignore the reporting message from the endpoint due to no session entry available in PSN#1, this endpoint is able to connect to the network all the way but shows “No policy server” in Anyconnect tray. We have opened a TAC case for this and it’s confirmed to be an expected behaviour and no workaround.
I just wanna seek collective wisdom here to see any good suggestions from the field who have also deployed ISE + Anyconnect like this.
Many thanks,
CH
03-20-2018 05:25 AM
Also would suggest contacting our pms for future enhancements
People in the field will respond here if they have another experience as well as they should be seeing them if subscribed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: