Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
3
Helpful
5
Replies

Cisco ISE POSTURE user cant connect

vivarock12
Level 1
Level 1

‎05-23-2023 08:43 PM

Im having trouble with users that are not able to connect on the network

im seeing the following log on the DART from anyconnect.

Linea 272: 2023/05/12 10:52:27 [Information] aciseagent Function: SwiftHttpRunner::startNoMntStageDiscovery Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swifthttprunner.cpp Line: 565 Level: debug MSG_NS_INTERFACE_CHANGE, Starting HTTP Discovery.

Linea 286: 2023/05/12 10:52:27 [Information] aciseagent Function: SwiftHttpRunner::collectNoMntTargets Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swifthttprunner.cpp Line: 1136 Level: debug Probing no MNT stage targets (#2): Redirection target 10.249.110.193, Redirection target enroll.cisco.com, .

Linea 341: 2023/05/12 10:52:27 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0x9FC File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libnaccommon\target.cpp Line: 250 Level: debug GET request to URL (http://enroll.cisco.com/auth/discovery), returned status -1 <Operation Failed.>.

Linea 349: 2023/05/12 10:52:27 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0xB10 File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libnaccommon\target.cpp Line: 250 Level: debug GET request to URL (http://10.249.110.193/auth/discovery), returned status -1 <Operation Failed.>.

Linea 358: 2023/05/12 10:52:27 [Information] aciseagent Function: SwiftHttpRunner::collectMntTargets Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swifthttprunner.cpp Line: 1219 Level: debug Probing MNT stage targets (#1): Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery, .

Linea 594: 2023/05/12 10:52:57 [Information] aciseagent Function: SwiftManager::sendUIStatus Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swiftmanager.cpp Line: 181 Level: debug MSG_SU_STEP_STATUS, {Status:6,Compliant:3,Phase:0,StepNumber:-1,Progress:-1,Attention:0,Cancellable:0,Restartable:0,ErrorMessage:1,Description1:"No policy server detected.",Description2:"Default network access is in effect."}.
Linea 863: 2023/05/12 11:05:58 [Information] aciseagent Function: SwiftManager::SendUIHeadendFQDN Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swiftmanager.cpp Line: 226 Level: debug MSG_SU_STEP_STATUS, {Status:12,Compliant:0,Phase:0,StepNumber:0,Progress:0,Attention:0,Cancellable:0,Restartable:0,ErrorMessage:0,Description1:"",Description2:""}.
Linea 866: 2023/05/12 11:05:58 [Information] aciseagent Function: SwiftManager::sendUIOpswatSDKVersion Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swiftmanager.cpp Line: 212 Level: debug MSG_SU_STEP_STATUS, {Status:13,Compliant:3,Phase:0,StepNumber:-1,Progress:-1,Attention:0,Cancellable:0,Restartable:0,ErrorMessage:0,Description1:"3.6.11550.2",Description2:""}.
Linea 867: 2023/05/12 11:05:58 [Information] aciseagent Function: SwiftManager::sendUIStatus Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swiftmanager.cpp Line: 181 Level: debug MSG_SU_STEP_STATUS, {Status:3,Compliant:3,Phase:0,StepNumber:-1,Progress:-1,Attention:0,Cancellable:0,Restartable:0,ErrorMessage:0,Description1:"Searching for policy server.",Description2:"This could take up to 30 seconds."}.

can anyone knows the meaning of the:

Probing no MNT stage targets (#2)

and

Probing MNT stage targets (#1)

i thinks that the problem is connectivy but wanted to double check.

also im assing the complet log in the case im not putting the important information in the text.

 

Preview file
1577 KB
0 Helpful
5 Replies 5

Divya Jain
Cisco Employee
Cisco Employee

‎06-13-2023 03:05 AM

Hi
I checked the DART logs and could see the discovery probes to be failing. Hence the issue: 

Time out for Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery. 

debug  unable to send request: 12002. 

Status of Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery is 6 <Not Reachable.>. 


Usually these are because of connectivity issue. Try and check if any connectivity issue.
Also see if its 1 user or happening for many users.

If the issue is persistant, then maybe open a TAC case to get detailed check.



-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------




Regards

Divya Jain
 

mzillige
Cisco Employee
Cisco Employee

‎06-13-2023 01:17 PM

Regarding your question on "Probing no MNT stage targets" and "Probing MNT stage targets"

All these signify are stage one and stage two discovery.

Stage one (HTTP redirection discovery) would be Probing no MNT stage targets

Stage two (HTTPS redirection less discovery) would be Probing MNT stage targets

We can discard stage two discovery here as I do not believe you're using it based off this log line in the DART -

2023/05/12 11:41:03 [Information] aciseagent Function: SwiftHttpRunner::collectMntTargets Thread Id: 0x122C File: c:\temp\build\thehoff\negasonic_mr20.315584294642\negasonic_mr2\posture\ise\libswift\swifthttprunner.cpp Line: 1174 Level: trace Call Home list is not set in profile..

For your redirection discovery probes, looks like we're getting the WINHTTP error 12152 (The server response cannot be parsed)

Is this happening to multiple users, or only this one? You may want to open a TAC case for further assistance.

 

 

vivarock12
Level 1
Level 1
In response to mzillige

‎06-13-2023 02:04 PM

For multiple users the problem is I don't have a contract to open a case so this is the problem. Any other idea.
And thanks for the help by the way
0 Helpful

mzillige
Cisco Employee
Cisco Employee
In response to vivarock12

‎06-13-2023 02:43 PM

Could you share a packet capture when this issue is occuring?

0 Helpful

Divya Jain
Cisco Employee
Cisco Employee
In response to vivarock12

‎06-14-2023 01:13 AM

Yes i agree a packet capture from endpoint can give more details or insights.


Regards
Divya Jain

Customers Also Viewed These Support Documents