cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1377
Views
5
Helpful
4
Replies
Highlighted
Participant

DACL on vASA is not updated when changed on ISE

hi

 

 

I have Cisco ISE 2.6.0.156 configured with DACL and policy is configured to check vpn user associated with particular group and authorize via DACL. I had to change this DACL because access to new devices were required and old devices needs to be removed. the user was able to connect but couldn't access new devices. when i checked ACL on ASA, it was showing old DACL entries and are not update.even if i duplicate authorization policy and give it preference, it still matches old authorization policy within anyconnect vpn policy set in ISE.

 

I have rebooted ise but still the same result.

 

ISE version 2.6.0.156 (Base, Apex and Plus licenses are valid, Device Admin license expired)

 

vASA

Cisco Adaptive Security Appliance Software Version 9.12(3)12 <context>
SSP Operating System Version 2.6(1.198)
Device Manager Version 7.14(1)

4 REPLIES 4
Highlighted
VIP Advisor

Hi,

Check in radius live logs and confirm that you are matching the right
problem with right dacl. If so, then ensure that dacl is downloaded to asa
using debug radius
Highlighted

hi,

 

 

ISE logs show that its matching correct policy and authorization policy. I have updated old DACL with new rules, I also tested by creating new DACL and pointing authorization profile to that DACL but when i use show access-list to see the DACL, it still shows old DACL with old entries.

Highlighted

hi

 

 

i did debug radius and i can see old acl which doesn't exist on ISE is being downloaded by ASA.

 

Got AV-Pair with value ip:inacl#1=permit ip any host 172.19.x.x

Got AV-Pair with value ip:inacl#2=permit ip any host 172.19.x.y

Got AV-Pair with value ip:inacl#3=permit ip any host 172.19.x.z

 

and following DACL name confirms that its matching correct DACL

 

Dynamic ACL "#ACSACL#-IP-3rd_Contractors_DACL-5e7d78f5" was given acl id 35

 

not sure why ASA is downloading updated DACL entries.

 

Auth Profile Name: 3rd_Contractors_AUTH

DACL Name: 3rd_Contractors_DACL

ASA VPN: 3rdContractors (this match group policy name in ASA)

 

Highlighted

issue is resovled. there was synch issue between ise01 and ise02 

Content for Community-Ad