cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

457
Views
10
Helpful
6
Replies

Connection Data.xml- VPN Posture

Hi Experts,

We've Remote access VPN configured on ASA and authenticated by ISE with posture enabled. We've DC1 ASA which is never connected to DC2 ISE node and we'll be testing the failover connectivity. In Posture profile, we've server rules configured to * (wildcard), discovery host (DH) is set to an SMTP server and call home is set to empty.

1.As Anyconnect will look for the connection data.xml for the previous connected PSN's, will the client be try to discover the new PSN and get updated the connection data.xml with the current posture profile after successful URL redirection?

2.Should the call home list be populated with the ISE PSN node to work or just with the server rules/DH would suffice?

Can someone please assist.

6 REPLIES 6
Marcelo Morais
Advocate

Hi @Srinivasan Nagarajan 

 the ConnectionData.xml has the history of Posture Servers from earliest to latest !!!

 To really understand the use of the Call Home List, you need to look at the posture flow before and after Cisco ISE 2.2 ... please take a look at ISE Posture Style Comparison for Pre and Post 2.2 !!!

 

Hope this helps !!!

Thanks Marcelo. Believe call home list should be added with the list of PSN FQDN's and CPP port (8443).

We've ASA and ISE in primary and secondary DC which is getting authenticated by the respective designated ISE nodes. As Call home list will be probing the ISE in the order we enter, we need secondary DC PSN to be probed first, followed the primary DC ISE VPN, if users are connected on the DC2 VPN. My query is,

1.How do we populate the call home list in this scenario ?

2.And does it needed to be configured 'Mandatorily' (under posture profile) for the clients to discover the ISE during forceful failover (done from NAD)?

Hi @Srinivasan Nagarajan 

1. Call Home List

for DC2: <DC2 PSN IP Addr>, <DC1 PSN IP Addr>
for DC1: <DC1 PSN IP Addr>, <DC2 PSN IP Addr>

2. I don't known if I fully understood your question (sorry for that), but remember that the Call Home List is the 1st Probe of Step 14 (there are 3 probes on step 13 and 2 probes on step 14

Step 12. In ISE 2.2, posture process is divided into two stages. First stage contains set of traditional posture discovery probes to support backward compatibility with deployments which relays on url redirect.
Step 13. First stage contains all traditional posture discovery probes. To get more details about the probes please review Step 20 in Pre ISE 2.2 posture flow.
Step 14. Stage two contains two discovery probes which allows AC ISE posture module to establish connection to the PSN where session is authenticated in environments where redirection is not supported. During stage two all probes are sequential.

In other words .... Call Home List is not a mandatory configuration.

 

Hope this helps

Thanks Marcelo for the reply.

AFAIK, We can configure the call home list in a order with the list of PSN's under posture profile which will be referenced in the AC configuration. I'm not sure if we'll be able to create a Call home list based on separate DC conditions.

Quick one, When we migrated ISE from 2.2 to 2.6 (re-imaging) and different IP addresses are being assigned to the PAN/PSN's. At that time, we've manually updated the Anyconnect local policy (XML) with the new PSN's IP. I've seen the Internet resources which has specified this is not pushed by the ASA, This is something configured manually to prevent getting updates from any rogue server.

Any idea on how to configure it?

Hi @Srinivasan Nagarajan 

 about your first question ... you are able to create a Call Home List based on separate DC conditions via (for ex.):

Work Center > Posture > Client Provisioning > Client Provisioning Policy
Rule Name: DC1-Rule > Other Conditions: Device:Location == Locations#DC1 > Results: <your AnyConnect Config that has your ISE Posture Profile for the DC1>
Rule Name: DC2-Rule > Other Conditions: Device:Location == Locations#DC2 > Results: <your AnyConnect Config that has your ISE Posture Profile for the DC2>

 

about your second question ... if my understanding is correct, you install from scratch an ISE 2.6, at a particular point you had two ISE Cubes (version 2.2 and version 2.6 ... different IP Addr of course), am I correct?

When you said "...we've manually updated the Anyconnect local policy (XML) with the new PSN's IP...", are you talking about the ISEPostureCFG.xml file located on the Endpoint?

 

Hope this helps !!!

The file edited was AnyConnectLocalPolicy.xml which is located at C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client

Connectiondata.xml file will be dynamically updated after the URL direction to the new PSN but not sure why to update AnyconnectlocalPolicy.xml under Authorized Server List?

Content for Community-Ad