Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1155
Views
0
Helpful
3
Replies

Cisco ISE VPN POSTURE notworking

Go to solution
aslam.bajwa
Level 3
Level 3

‎11-21-2019 07:37 AM

Hi All , 

 

i have cisco ISE SSH VPN , posture scan i snot working .

 

on Anyconnect Posture module  showing '' No Policy Server Detected ''

 

from the End-point -CMD , nslookup to the ISE server FQDN is showing timeout (Screenshot is attached )

 

 

 

 

Preview file
35 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎11-22-2019 07:14 AM

@Mike.Cifelli wrote:
More than likely this is a dacl issue as already mentioned. You have options within ISE to statically set the ip in the authz profile that would help eliminate the name resolution issue as a connectivity test. Obviously your restricted area must be able to reach your ISE PSN that will be performing the posture checks. Something else you could try as a quick test is using your hosts file locally if you are running Windows to statically provide dns. As far as CoA things are concerned for applying different dacls etc. make sure that udp port 1700 is not blocked along the path between your NAD & ISE OR for VPN between your ASA & ISE. HTH!

yes and also checked out the https://cs.co/ise-guides

in particular the one titled ISE Posture Prescriptive Deployment Guide

If still having issues please work through tac

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-21-2019 07:46 AM

Hi,
If you cannot resolve DNS names, are you pushing down a DACL which could be blocking DNS? Try without applying the DACL to the user session to determine if a DACL issue.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-21-2019 11:03 AM

More than likely this is a dacl issue as already mentioned. You have options within ISE to statically set the ip in the authz profile that would help eliminate the name resolution issue as a connectivity test. Obviously your restricted area must be able to reach your ISE PSN that will be performing the posture checks. Something else you could try as a quick test is using your hosts file locally if you are running Windows to statically provide dns. As far as CoA things are concerned for applying different dacls etc. make sure that udp port 1700 is not blocked along the path between your NAD & ISE OR for VPN between your ASA & ISE. HTH!
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎11-22-2019 07:14 AM

@Mike.Cifelli wrote:
More than likely this is a dacl issue as already mentioned. You have options within ISE to statically set the ip in the authz profile that would help eliminate the name resolution issue as a connectivity test. Obviously your restricted area must be able to reach your ISE PSN that will be performing the posture checks. Something else you could try as a quick test is using your hosts file locally if you are running Windows to statically provide dns. As far as CoA things are concerned for applying different dacls etc. make sure that udp port 1700 is not blocked along the path between your NAD & ISE OR for VPN between your ASA & ISE. HTH!

yes and also checked out the https://cs.co/ise-guides

in particular the one titled ISE Posture Prescriptive Deployment Guide

If still having issues please work through tac

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents