This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have Cisco ISE 18.104.22.168 configured with DACL and policy is configured to check vpn user associated with particular group and authorize via DACL. I had to change this DACL because access to new devices were required and old devices needs to be removed. the user was able to connect but couldn't access new devices. when i checked ACL on ASA, it was showing old DACL entries and are not update.even if i duplicate authorization policy and give it preference, it still matches old authorization policy within anyconnect vpn policy set in ISE.
I have rebooted ise but still the same result.
ISE version 22.214.171.124 (Base, Apex and Plus licenses are valid, Device Admin license expired)
Cisco Adaptive Security Appliance Software Version 9.12(3)12 <context>
SSP Operating System Version 2.6(1.198)
Device Manager Version 7.14(1)
ISE logs show that its matching correct policy and authorization policy. I have updated old DACL with new rules, I also tested by creating new DACL and pointing authorization profile to that DACL but when i use show access-list to see the DACL, it still shows old DACL with old entries.
i did debug radius and i can see old acl which doesn't exist on ISE is being downloaded by ASA.
Got AV-Pair with value ip:inacl#1=permit ip any host 172.19.x.x
Got AV-Pair with value ip:inacl#2=permit ip any host 172.19.x.y
Got AV-Pair with value ip:inacl#3=permit ip any host 172.19.x.z
and following DACL name confirms that its matching correct DACL
Dynamic ACL "#ACSACL#-IP-3rd_Contractors_DACL-5e7d78f5" was given acl id 35
not sure why ASA is downloading updated DACL entries.
Auth Profile Name: 3rd_Contractors_AUTH
DACL Name: 3rd_Contractors_DACL
ASA VPN: 3rdContractors (this match group policy name in ASA)