I have set up posturing on our ISE servers for Anyconnect clients. This is working fine but an additional requirement is for ISE to scan the endpoint machine for a specific certificate located within the Trusted Root Certificate Authorities based on Issuer Common Name, Serial Number and expiry date of the certificate. When adding this to the Authorization Policy (above the Compliant and Non-Compliant policies), I get the below error message and Anyconnect immediately ends the VPN session:
"The secure gateway has terminated the VPN Connection. The following message was received from the secure gateway: Internal Error"
I am running version 2.4.0357 patch level 7 on the ISE servers and our FirePower 2130's are running an ASA code of 9.9(1). I have the same trusted Root CA installed on the VPN head end Firewall. We would like a scan to be performed on the endpoint machine to first validate that the certificate does indeed exist and if so, proceed to posture the machine.
The certificate conditions in ISE authorization policy rules are for certificate-based authentication. As you are using AnyConnect for remote access VPN, it will not be certificate-based authentication to ISE. That is likely the reason for the internal error.
Please open a Cisco TAC case, if you need dig on this further.