Showing results for 
Search instead for 
Did you mean: 

Endpoint certificate validation on ISE for Anyconnect Clients prior to Posturing

Hi Cisco Community, 


I have set up posturing on our ISE servers for Anyconnect clients. This is working fine but an additional requirement is for ISE to scan the endpoint machine for a specific certificate located within the Trusted Root Certificate Authorities based on Issuer Common Name, Serial Number and expiry date of the certificate. When adding this to the Authorization Policy (above the Compliant and Non-Compliant policies), I get the below error message and Anyconnect immediately ends the VPN session:


"The secure gateway has terminated the VPN Connection. The following message was received from the secure gateway: Internal Error"


I am running version 2.4.0357 patch level 7 on the ISE servers and our FirePower 2130's are running an ASA code of 9.9(1). I have the same trusted Root CA installed on the VPN head end Firewall. We would like a scan to be performed on the endpoint machine to first validate that the certificate does indeed exist and if so, proceed to posture the machine. 


Any assistance will be greatly appreciated.

Thank you.

1 Reply 1

Cisco Employee
Cisco Employee

The certificate conditions in ISE authorization policy rules are for certificate-based authentication. As you are using AnyConnect for remote access VPN, it will not be certificate-based authentication to ISE. That is likely the reason for the internal error.

Please open a Cisco TAC case, if you need dig on this further.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers