Hi Flavio,

Of course we are using anyconnect, i did not mention what we do as a long history for posturing And of course i know posture is not on the switch My problem is; url redirection is not working if switch management has not any SVI on client network. When we define a SVI on switch config it works.

Thanks,

If that is the case, so is not possible to deploy posture in devices connected to a layer2 switch? only layer3 switch?

Of course not, but defining a client network SVI on the switch as a solution is not acceptable considering security and deployment issues. I have a case and to find a solution I have posted here

I got it @star btsistem . But it does not make sense, that´s I am trying to say.  I am in agreement with you not the other way around.

 The thing is, I saw posture deployed in devices connected in Layer2 switches before and it does not require the switch to have an IP address on the clients network, after all, it was not even possible as it was not a layer3 switch.

 So, when you say " But when we examine the traffic i did not see traffic from switch management SVI to client network. If yes, which ports should be allowed between switch management network and client network ? How can I achieve url redirection issue on wired connections ?"

 It does not make any sense. The layer2 switch, it seems to be your case, you can not see traffic between management interface and clients network because the switch will not share traffic between VLANs.

  The flow here must be.

The client is connected to a layer2 switch with anyconnect.

The ISE send the URL to client via radius authentication process.

The clients  will resolve the URL using the DNS you provide him in the DHCP.

  The clients gets the ISE IP from the DNS

The cilent try to reach the ISE IP address. Here the client must look to its default gateway which must be your layer3 switch (core). The Core must know how to route the packet to the ISE.

Now, if you must add IP address on the Access switch on the client´s network in order to the redirect works, something is wrong with the network.

Hi Flavio,

I think we are not at the same point All our gateways are defined on the firewall. All routes are ok. You mentioned "The ISE send the URL to client via radius authentication process." I think the URL is sent from ISE to the switch. The switch intercept the http session here as described posture flow url I have shared below. Yes i know it is not needed to have l3 sw. Then how it works with a client nw SVI ? What is happening when we create a client nw SVI ? If we have a problem with the network, what is it ?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

https://community.cisco.com/t5/network-access-control/url-redirect-does-not-working-with-cisco-switches-catalyst-4500e/td-p/2943401

"I think we are not at the same point All our gateways are defined on the firewall."

 Yes, we are. At least, I think I am. And I am here trying to help you, and that´s it.  Whether the gateway is core or firewall does not matter. I dont know your network so mpst of what I say I am supposing.

Then how it works with a client nw SVI ?

that´s a good point.

What is happening when we create a client nw SVI ?

That´s another good point.

If we have a problem with the network, what is it ?

Let´s try to find out.  I will look the link and do some reasearch and hit back here as soon as I have an idea.

Hi @star btsistem 

  It did not take long. I have found this doc that explain your acenario.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117278-troubleshoot-ise-00.html

I believe you fall in this exactly Scenario 5.

Scenario 5 - Destination Host is in Different VLAN, Exists, and is SVI 10 DOWN

If the switch does not have SVI UP in the same VLAN as the client, it can still perform redirection but only when specific conditions are matched.

The problem for the switch is how to return the response to the client from a different SVI. It is difficult to determine which source MAC address should be used.

The flow is different from when SVI is UP:

1. The client sends a TCP SYN to the host in a different VLAN (192.168.2.20) with a destination MAC address set to a default gateway which is defined on the upstream switch. That packet reaches the redirect ACL, which is shown by debugs.
2. The switch verifies if it has a routing back to the client. Remember that SVI 10 is DOWN.
3. If the switch does not have another SVI that has a routing back to the client, that packet is not intercepted or redirected, even when Enterprise Policy Manager (EPM) logs indicate that ACL is reached. The remote host might return a SYN ACK, but the switch does not have a routing back to the client (VLAN10) and drops the packet. The packet cannot just be switched back (L2), because it reached the redirect ACL.
4. If the switch does have a routing to the client VLAN via a different SVI, it intercepts that packet and performs the redirect as usual. The response with URL-redirect does not go directly to the client, but via a different switch/router based on the routing decision.

Notice the asymmetry here:

• Traffic received from the client is intercepted locally by the switch.
  
  
• The response for that, which includes the HTTP redirect, is sent via the upstream switch based on the routing.
  
  
• This is when typical problems with the firewall might occur, and a TCP bypass is required.
  
  
• Traffic to the ISE, which is not redirected, is symmetrical. Only the redirection itself is asymmetric.

Hi Flavio,

I know you are trying to help and very thank your replies and comments, may be I could not express myself. Thanks for this document. I have read that document before i've written here, and I have focused TCP bypass here. Here I think we need to enable TCP state bypass on firewall with a specific source and destination. And here the source: client nw dest: ISE PSNs right ?

Yes. Because the problem occurs when the ISE initiate the communication, the switch intercept but the Client must finish the communication, then the Firewall will complain.