11-03-2015 01:38 AM - edited 03-10-2019 11:12 PM
Hi,
We have a ISE 1.4 deployment in which we are doing posture assessment for VPN users connecting through ASA version 9.3(3). users are connecting normally , authentication and authorization are done succesffuly , however, when nac agent pops up anyconnect vpn client disconnects and the following message appears :
"
The secure gateway has terminated the VPN connection.
The following message was received from the secure gateway: COA initiated
"
How could we keep the CoA initiation from disconnecting VPN client.
Appreciate your help ,
Best Regards,
Muayad Jallad,
11-03-2015 07:47 AM
Hi ,
Just wanted to update that problem was resolved successfully , it was TACACS command authorization defined on ASA that was preventing the DACL from being configured on ASA which was triggering anyconnect VPN termination.
it was resolved after configuring device administration autorization policy on ACS to give ISE authorization on ASA.
Best Regards,
Muayad Jallad,
04-27-2016 03:56 AM
Hello Muayad,
May I ask if this has affected all or just one of your anyconnect users?
I have a similar issue but just on one user.
Any advice is greatly appreciated.
Thank you.
Jem
08-23-2017 01:36 PM
Not using ACS, its all ISE/RADIUS now in this enviroment, but the dACL was originally imported from ACS. The dACL that ISE pushes to the ASA for the VPN session needs to use subnet mask format instead of wildcard format for dACL lines that reference networks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide