Solved: ISE 2.6 ACL-Redirection-Less Posture

ISEduo · ‎06-07-2020

HI All,

I am configuring ISE 2.6 posture with the "acl-redirection-less way". Meaning I am using the "call-home" functionality. I have already configured the ISE part with the minimum required config. And I have specified all my PSN FQDN in the Call-home field on the endpoint. I do not use the discovery host field.

But it does not work. The Posture module are writing "Searching for Policy servers" and after 30 seconds "No Policy servers are detected".

The output from DART shows "Not Reachable" for enroll.cisco.com. Both ISE PSN and enroll.cisco.com are resolvable and reachable from the client side. The Client Provisioning portal are reachable from the client side. Even trough the Portal is writing "Unable to detect Anyconnect Posture Agent" after login. Could this be related to the main problem?

What can course this problem?

The output from DART shows

\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\httpconnection.cpp Line: 814 Level: debug Failed to retrieve http header X-ISE-PDP-WITH-SESSION.
2020/06/05 13:01:53 [Error] aciseagent Function: Target::parsePostureStatusResponse Thread Id: 0x4B44 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 328 Level: error Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'..
2020/06/05 13:01:53 [Information] aciseagent Function: Target::Probe Thread Id: 0x4B44 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 201 Level: debug Status of Ng-Discovery target ise.acmecorp.net with path /auth/ng-discovery is 5 <Invalid server.>.

2020/06/05 15:21:07 [Information] aciseagent Function: Target::Probe Thread Id: 0x30B8 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 201 Level: debug Status of Redirection target gwip is 6 <Not Reachable.>.

2020/06/05 15:21:07 [Information] aciseagent Function: Target::Probe Thread Id: 0x1AC8 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 201 Level: debug Status of Redirection target enroll.cisco.com is 6 <Not Reachable.>.

2020/06/05 15:21:15 [Information] aciseagent Function: Target::Probe Thread Id: 0x8E0 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 201 Level: debug Status of Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery is 6 <Not Reachable.>.

thomas · ‎06-12-2020

Since you're still having problems I suggest you call TAC to sort out these issues.

View solution in original post

ISEduo · ‎06-13-2020

I solved the problem by specifying PSN FQDN´s instead of IP address.

View solution in original post

poongarg · ‎06-07-2020

With Call-home, AC posture module tries to establish connection with IP/FQDNs from "Call Home List". In AC posture profile on ISE side, you have to define IPs/FQDNs separated by commas, with colon you can define port number for each Call Home destination. This port needs to be equal to the port on which client provisioning portal is runs. On the client side information about call home servers is located in ISEPostureCFG.xml, this file can be found in folder - C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\

If you are seeing any probe: https://CallHome:Port/auth/ng-discovery in the DART bundle. Also if the AnyConnect Posture Agent is actually got installed on the PC.

ISEduo · ‎06-07-2020

HI,

Yes, I see Probes to the FQDN´s which is defined under Call-home. The port are the same as defined on cpp. I have installed the Posture module manually the same goes with ISEPostureCFG.xml file which is also manually deployed and not via ISE. (For testing purposes)

See below:

2020/06/05 14:04:46 [Information] aciseagent Function: SwiftHttpRunner::probeNextMntTarget Thread Id: 0x368C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1456 Level: debug Probing Mnt stage Ng-Discovery target ise.acmecorp.net with path /auth/ng-discovery.

2020/06/05 14:04:44 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x2C70 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 407 Level: debug POST request to URL (https://enroll.cisco.com:8905/auth/ng-discovery), returned status -1 <Operation Failed.>.
2020/06/05 14:04:44 [Information] aciseagent Function: Target::Probe Thread Id: 0x2C70 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 201 Level: debug Status of Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery is 6 <Not Reachable.>.
2020/06/05 14:04:46 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x368C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target Gw-IP.
2020/06/05 14:04:46 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x368C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target enroll.cisco.com.
2020/06/05 14:04:46 [Warning] aciseagent Function: SwiftHttpRunner::addPreviouslyConnectedHeadendsToTargetList Thread Id: 0x368C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 750 Level: warn No previously connected headends found.
2020/06/05 14:04:46 [Information] aciseagent Function: SwiftHttpRunner::collectMntTargets Thread Id: 0x368C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1227 Level: debug Probing MNT stage targets (#4): Ng-Discovery ise.acmecorp.net with path /auth/ng-discovery, Ng-Discovery target ise.acmecorp.net with path /auth/ng-discovery, Ng-Discovery target ise.acmecorp.net with path /auth/ng-discovery, Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery, .
2020/06/05 14:04:46 [Information] aciseagent Function: SwiftHttpRunner::probeNextMntTarget Thread Id: 0x368C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1456 Level: debug Probing Mnt stage Ng-Discovery target ise.acmecorp.net with path /auth/ng-discovery.
2020/06/05 14:04:46 [Information] aciseagent Function: hs_transport_init Thread Id: 0x3508 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libhstransport\hs_transport.c Line: 587 Level: debug initialization done.
2020/06/05 14:04:46 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x368C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 433 Level: info Enabling next round timer.
2020/06/05 14:04:46 [Information] aciseagent Function: HttpConnection::MakeRequest Thread Id: 0x3508 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\httpconnection.cpp Line: 514 Level: debug Redirected url https://ise.acmecorp.net:8454/auth/status.
2020/06/05 14:04:46 [Information] aciseagent Function: hs_transport_init Thread Id: 0x3508 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libhstransport\hs_transport.c Line: 587 Level: debug initialization done.
2020/06/05 14:04:46 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x3508 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 407 Level: debug POST request to URL (https://ise.acmecorp.net :8454/auth/ng-discovery), returned status 0 <Operation Success.>.
2020/06/05 14:04:46 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x3508 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\httpconnection.cpp Line: 814 Level: debug Failed to retrieve http header X-ISE-PDP-WITH-SESSION.

Anurag Sharma · ‎06-07-2020

@ISEduo ,

Can you please ensure the traffic from your PC is reaching the ISE, and not getting blocked/mis-directed by the firewall?

Simplest way would be to take captures no either (or all) PC, FW, ISE.

Also, did you push any DACL from ISE?

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

ISEduo · ‎06-07-2020

Hi Anurag,

I can see the traffic is reaching ISE from the client provisiong portal reporting, when I try to access CPP via the browser from the client.

I noticed the following error messages. Which I am not sure about.

\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\httpconnection.cpp Line: 814 Level: debug Failed to retrieve http header X-ISE-PDP-WITH-SESSION.
2020/06/05 13:01:53 [Error] aciseagent Function: Target::parsePostureStatusResponse Thread Id: 0x4B44 File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\target.cpp Line: 328 Level: error Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'..

Anurag Sharma · ‎06-07-2020

It would really help if you try taking packet captures on the client machine (during and after auth) and on ISE (with the filter of Client's VPN-subnet IP) to see what's getting received/sent.
Same lines of debug (in Posture) can be due to different reasons. We have to establish the flow first.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

ISEduo · ‎06-07-2020

I just took packet capture on the client side. Can you explain what we should dive into?

Anurag Sharma · ‎06-07-2020

Would you be able to share it here? Which requests from the client are not seeing the response?

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

ISEduo · ‎06-07-2020

I would not be able to upload the packet captures in here. Can you maybe guide me how to quickly identify the request from the client? I do see both PSN FQDN´s in client handshake packets

Anurag Sharma · ‎06-07-2020

Hi @ISEduo ,

For 'redirection-less' posture to work from first attempt itself, make sure the Posture profile (created on ISE) is already present on the client machine. If you are doing this for VPN, you can actually push it via ASA.

From the DART logs, it looks like it's trying to send probes to get redirected. That means it's not honouring the FQDNs/IPs in the Call-Home list.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

ISEduo · ‎06-07-2020

HI,

I configured the ISEPostureCFG.xml via Anyconnect Posture Editor and stored it in posture folder. Basically I specified the PSN FQDN´s with the ports in the call home list and the server name rules has * as value. We want to pre deploy Anyconnect and Postore module and configuration via SCCM and not via ISE.

The Posture Profile and Anyconnect Profile on ISE are configured same as posture profile on my test client.

thomas · ‎06-08-2020

You can compare your configuration against the ISE Posture Prescriptive Deployment Guide since I didn't see you mention it.

ISEduo · ‎06-09-2020

It start working after specifying call-home to both PSN FQDN´s. But the posture scan still don´t start via VPN (Anyconnect). Does this require special configuration ?

Furthermore, Is it possible to "disable" anyconnect client provisioning on ISE. The client seem to download and install the anyconnect image from ISE. We would like to let SCCM maintain anyconnect and Posture module deployment?

thomas · ‎06-12-2020

Since you're still having problems I suggest you call TAC to sort out these issues.

ISEduo · ‎06-13-2020

I solved the problem by specifying PSN FQDN´s instead of IP address.