cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

602
Views
0
Helpful
3
Replies
aslam.bajwa
Participant

Cisco ISE VPN POSTURE notworking

Hi All , 

 

i have cisco ISE SSH VPN , posture scan i snot working .

 

on Anyconnect Posture module  showing '' No Policy Server Detected ''

 

from the End-point -CMD , nslookup to the ISE server FQDN is showing timeout (Screenshot is attached )

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions


@Mike.Cifelli wrote:
More than likely this is a dacl issue as already mentioned. You have options within ISE to statically set the ip in the authz profile that would help eliminate the name resolution issue as a connectivity test. Obviously your restricted area must be able to reach your ISE PSN that will be performing the posture checks. Something else you could try as a quick test is using your hosts file locally if you are running Windows to statically provide dns. As far as CoA things are concerned for applying different dacls etc. make sure that udp port 1700 is not blocked along the path between your NAD & ISE OR for VPN between your ASA & ISE. HTH!

yes and also checked out the https://cs.co/ise-guides

in particular the one titled ISE Posture Prescriptive Deployment Guide

If still having issues please work through tac

View solution in original post

3 REPLIES 3
Rob Ingram
VIP Mentor

Hi,
If you cannot resolve DNS names, are you pushing down a DACL which could be blocking DNS? Try without applying the DACL to the user session to determine if a DACL issue.
Mike.Cifelli
VIP Advocate

More than likely this is a dacl issue as already mentioned. You have options within ISE to statically set the ip in the authz profile that would help eliminate the name resolution issue as a connectivity test. Obviously your restricted area must be able to reach your ISE PSN that will be performing the posture checks. Something else you could try as a quick test is using your hosts file locally if you are running Windows to statically provide dns. As far as CoA things are concerned for applying different dacls etc. make sure that udp port 1700 is not blocked along the path between your NAD & ISE OR for VPN between your ASA & ISE. HTH!


@Mike.Cifelli wrote:
More than likely this is a dacl issue as already mentioned. You have options within ISE to statically set the ip in the authz profile that would help eliminate the name resolution issue as a connectivity test. Obviously your restricted area must be able to reach your ISE PSN that will be performing the posture checks. Something else you could try as a quick test is using your hosts file locally if you are running Windows to statically provide dns. As far as CoA things are concerned for applying different dacls etc. make sure that udp port 1700 is not blocked along the path between your NAD & ISE OR for VPN between your ASA & ISE. HTH!

yes and also checked out the https://cs.co/ise-guides

in particular the one titled ISE Posture Prescriptive Deployment Guide

If still having issues please work through tac

View solution in original post

Content for Community-Ad