cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
1
Helpful
3
Replies

Corrupted dACLs received from ISE

jpl861
Level 4
Level 4

We have multiple RAVPN firewalls worldwide, including ISE per region. Our admin node is in our EU data center, and we have policy nodes per region. All our RAVPN firewalls have the same configuration, but we’re having a weird issue. The dACLs we’re getting from ISE are all messed up. This is only happening in one region. We can see that the dACLs downloaded from ISE don’t even have a permit statement, and sometimes there are thousands of remark statements. We only have about 150 lines being pushed from ISE to ASA, but sometimes the dACL reaches 10,000 lines! Also, the main problem is when the dACLs don’t even have a permit statement, so the user can connect but can’t access anything. But if the user tries to connect to another region, it works just fine. Cisco TAC couldn’t help us out and couldn’t even find the problem. Has anyone else experienced this? Thanks a bunch!

1 Accepted Solution

Accepted Solutions

jpl861
Level 4
Level 4

Just for anyone who knows what the problem is. It was due to the fact that the ISE PSNs are behind a load-balancer. The load-balancer performed round-robin between the backend PSNs that's why the dACL download keeps on restarting from the beginning. It was a broken persistency classification on the load-balancer side which we already fixed.

View solution in original post

3 Replies 3

Hi @jpl861 this post confirms only 64 lines in a DACL is supported https://community.cisco.com/t5/network-access-control/ise-and-dacl/td-p/2265241 ...that doesn't explain why it works in one region and not the other though.

If you took a packet capture on the RAVPN firewall side of the RADIUS transaction, does the firewall receive the entire DACL?

Did TAC suggest an alternative to using such large DACLs? A better solution would be to use TrustSec SGT, assign a user an SGT and apply policy on the firewall based on the SGT.

 

Hello @Rob Ingram, I think this has been lifted already and more lines can be applied. We have like 3 dozens of dACLs configured on the ISE depending on the group membership of the user, and almost all of them have more than 150 lines +/- 10% in terms of difference. It's just on a random basis, a specific dACL will have thousands of lines, mostly the remark statement, and not a single permit statement appears.

jpl861
Level 4
Level 4

Just for anyone who knows what the problem is. It was due to the fact that the ISE PSNs are behind a load-balancer. The load-balancer performed round-robin between the backend PSNs that's why the dACL download keeps on restarting from the beginning. It was a broken persistency classification on the load-balancer side which we already fixed.