02-18-2019 03:43 AM
Hi,
Posture on Anyconnect is not working ok.
Client stuck in pending status and after some long time switch to compliant status.
Problem is solved when client is connects to wifi, then in that case client download all files and after that VPN with posture is working as expected.
But i need client without connecting to wifi be able to normaly connect to VPN and use posture .
Problem si solved copying ISEPostureCFG.xml to location C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE.
New problem that shows up is that win10 and win7 after some time delete ISEPostureCFG.xml and posture on Anyconnect VPN is not working again.
Someone had same issue?
Kind Regards,
VZ
02-18-2019 05:43 AM
Having to prepopulate your ISEPostureCFG.xml to get things to works means posture discovery isn't working on VPN. If everything is setup correctly the client should be able to have a fresh install of AnyConnect Posture Module with no ISEPostureCFG.xml and still be able to posture.
How do you have your posture discovery setup? I usually use the redirect to enroll.cisco.com trick:
access-list POSTURE-REDIRECT extended permit ip any host 72.163.1.80
access-list POSTURE-REDIRECT extended deny ip any any
Apply that ACL in the VPN unknown state as a redirect ACL to the client provisioning portal. If the redirection is working the client (as a test) should be able to surf to http://enroll.cisco.com and get the client provisioning portal. If this work the ISE posture module will discover the correct PSN to report posture to even without the config XML file.
Read more posture discovery here:
02-18-2019 06:04 AM
On ASA i use ACL for redirect
02-18-2019 06:08 AM
If you are doing split-tunneling you have to make sure traffic to the enroll.cisco.com IP is sent across the VPN. If the client pulls up http://enroll.cisco.com do they get the client provisioning portal? If you aren't using the client provisioning portal to install the AnyConnect Posture module I wouldn't redirect all web traffic to the portal. Doing so causes confusion and client might try to reinstall AnyConnect for now reason. You can use the DACL to limit access, but the only thing you need in your redirect ACL is enroll.cisco.com IP.
02-18-2019 06:22 AM
HI ,
I'm not using portal to install the AnyConnect Posture module. i Install modules manually.
So what ports should i redirect instead www and/or 8443 in redirect ACL on ASA?
my DACL looks like this
permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit tcp any host <primary_ISE_IP> eq 8905
permit udp any host <primary_ISE_IP> eq 8905
permit tcp any host <primary_ISE_IP> eq 8909
permit udp any host <primary_ISE_IP> eq 8909
permit tcp any host <secondary_ISE_IP> eq 8905
permit udp any host <secondary_ISE_IP> eq 8905
permit tcp any host <secondary_ISE_IP> eq 8909
permit udp any host <secondary_ISE_IP> eq 8909
permit tcp any host <primary_ISE_IP> eq 8443
permit tcp any host <secondary_ISE_IP> eq 8443
permit tcp any host 72.163.1.80
deny ip any any
02-18-2019 06:30 AM
02-18-2019 07:36 AM
OK Thanks,
Just one last.
Which version of AnyConnect Compliance Module do you use?
i was using until yesterday version 4.3.405.2048 and saw that with no reason compliance module dissapear from windows.
(like someone uninstall it)
Now i changed to new version 4.3.484.6144 and i will see if there is some change.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide