Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2699
Views
5
Helpful
4
Replies

DACL on vASA is not updated when changed on ISE

nareh84
Level 3
Level 3

‎08-07-2020 07:26 AM

hi

 

 

I have Cisco ISE 2.6.0.156 configured with DACL and policy is configured to check vpn user associated with particular group and authorize via DACL. I had to change this DACL because access to new devices were required and old devices needs to be removed. the user was able to connect but couldn't access new devices. when i checked ACL on ASA, it was showing old DACL entries and are not update.even if i duplicate authorization policy and give it preference, it still matches old authorization policy within anyconnect vpn policy set in ISE.

 

I have rebooted ise but still the same result.

 

ISE version 2.6.0.156 (Base, Apex and Plus licenses are valid, Device Admin license expired)

 

vASA

Cisco Adaptive Security Appliance Software Version 9.12(3)12 <context>
SSP Operating System Version 2.6(1.198)
Device Manager Version 7.14(1)

0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎08-07-2020 10:28 AM

Hi,

Check in radius live logs and confirm that you are matching the right
problem with right dacl. If so, then ensure that dacl is downloaded to asa
using debug radius
0 Helpful

nareh84
Level 3
Level 3
In response to Mohammed al Baqari

‎08-07-2020 06:49 PM

hi,

 

 

ISE logs show that its matching correct policy and authorization policy. I have updated old DACL with new rules, I also tested by creating new DACL and pointing authorization profile to that DACL but when i use show access-list to see the DACL, it still shows old DACL with old entries.

0 Helpful

nareh84
Level 3
Level 3
In response to nareh84

‎08-24-2020 01:38 AM

hi

 

 

i did debug radius and i can see old acl which doesn't exist on ISE is being downloaded by ASA.

 

Got AV-Pair with value ip:inacl#1=permit ip any host 172.19.x.x

Got AV-Pair with value ip:inacl#2=permit ip any host 172.19.x.y

Got AV-Pair with value ip:inacl#3=permit ip any host 172.19.x.z

 

and following DACL name confirms that its matching correct DACL

 

Dynamic ACL "#ACSACL#-IP-3rd_Contractors_DACL-5e7d78f5" was given acl id 35

 

not sure why ASA is downloading updated DACL entries.

 

Auth Profile Name: 3rd_Contractors_AUTH

DACL Name: 3rd_Contractors_DACL

ASA VPN: 3rdContractors (this match group policy name in ASA)

 

0 Helpful

nareh84
Level 3
Level 3
In response to nareh84

‎10-16-2020 10:55 PM

issue is resovled. there was synch issue between ise01 and ise02 

Customers Also Viewed These Support Documents