Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
77
Views
0
Helpful
1
Replies

Corrupted dACLs received from ISE

jpl861
Level 4
Level 4

‎04-25-2025 12:56 AM

We have multiple RAVPN firewalls worldwide, including ISE per region. Our admin node is in our EU data center, and we have policy nodes per region. All our RAVPN firewalls have the same configuration, but we’re having a weird issue. The dACLs we’re getting from ISE are all messed up. This is only happening in one region. We can see that the dACLs downloaded from ISE don’t even have a permit statement, and sometimes there are thousands of remark statements. We only have about 150 lines being pushed from ISE to ASA, but sometimes the dACL reaches 10,000 lines! Also, the main problem is when the dACLs don’t even have a permit statement, so the user can connect but can’t access anything. But if the user tries to connect to another region, it works just fine. Cisco TAC couldn’t help us out and couldn’t even find the problem. Has anyone else experienced this? Thanks a bunch!

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎04-25-2025 02:10 AM

Hi @jpl861 this post confirms only 64 lines in a DACL is supported https://community.cisco.com/t5/network-access-control/ise-and-dacl/td-p/2265241 ...that doesn't explain why it works in one region and not the other though.

If you took a packet capture on the RAVPN firewall side of the RADIUS transaction, does the firewall receive the entire DACL?

Did TAC suggest an alternative to using such large DACLs? A better solution would be to use TrustSec SGT, assign a user an SGT and apply policy on the firewall based on the SGT.

 

0 Helpful
Customers Also Viewed These Support Documents