04-18-2023 08:48 PM
Hello,
I have always done ISE deployments with redirecitons for posture. I was working in the lab for many hours now trying to solve why I cannot get my AnyConnect client to report compliance to ISE with the call-home functionality. I have created the ISEPostureCFG.xml file and installed it in the correct folder. However, the ISE posture module just says that a ploicy server cannot be found.
<?xml version="1.0" encoding="UTF-8"?>
<cfg
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://www.cisco.com/nac/agent/config-1.0'
xsi:schemaLocation='http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd'>
<configName>ISEPostureCFG.xml</configName>
<NacAnyConnectDrpDown>AnyConnectAgent</NacAnyConnectDrpDown>
<BackOffTimerLimit>30</BackOffTimerLimit>
<LogTrace>0</LogTrace>
<CwaByodMaxTimeout>90</CwaByodMaxTimeout>
<RetransmissionLimit>4</RetransmissionLimit>
<PingMaxTimeout>1</PingMaxTimeout>
<RetransmissionDelay>60</RetransmissionDelay>
<StealthMode>0</StealthMode>
<EnableNonRedirectionFlow>1</EnableNonRedirectionFlow>
<DisableEDRInternetCheck>0</DisableEDRInternetCheck>
<ServerNameRules>*</ServerNameRules>
<OperateOnNonDot1XWireless>1</OperateOnNonDot1XWireless>
<DhcpRenewDelay>1</DhcpRenewDelay>
<CallHomeList>ise.echoplex.io</CallHomeList>
<LogFileSize>5</LogFileSize>
<PRARetransmissionTime>120</PRARetransmissionTime>
<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
<DartCount>3</DartCount>
<CwaByodProbingInterval>5</CwaByodProbingInterval>
<PingArp>0</PingArp>
<DhcpReleaseDelay>4</DhcpReleaseDelay>
<StealthWithNotification>0</StealthWithNotification>
<SignatureCheck>0</SignatureCheck>
<DiscoveryHost>www.google.com</DiscoveryHost>
<StateSyncProbeInterval>0</StateSyncProbeInterval>
<EnableRescanButton>1</EnableRescanButton>
<VlanDetectInterval>0</VlanDetectInterval>
<DisableUAC>0</DisableUAC>
<PeriodicProbing>30</PeriodicProbing>
</cfg>
I have collected the DART file information. It is talking to the ISE server that I setup in the ISEPostureCFG.xml file but for whatever reason it seems to error out. Dart log file info:
2023/04/18 23:33:33 [Information] aciseagent Function: SMNav::logTransition Thread Id: 0x1B1C File: smnav.cpp Line: 167 Level: info New State = SW_UNKNOWN, New Event = EV_NO_EVENT .
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 430 Level: debug --- Http Response Headers ---.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug HTTP-Version: 1.1.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Status-Code: 200.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Connection: keep-alive.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Date: Wed, 19 Apr 2023 04:32:42 GMT.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Keep-Alive: timeout=20.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Content-Length: 25.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Server: server.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-Frame-Options: SAMEORIGIN.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Strict-Transport-Security: max-age=31536000; includeSubDomains.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-Content-Type-Options: nosniff.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-XSS-Protection: 1; mode=block.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-PDP: ise.echoplex.io.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-POSTURE: /auth/perfigo_validate.jsp.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-POSTURE_PORT: 8905.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-AC_PKG_PORT: 8905.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-GUESTFLOW: false.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-AC_CONFIG_URL: https://ise.echoplex.io:8905/auth/anyconnect?uuid=c674f9c2-073c-429c-b745-3c9cea739e81.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-AC_CONFIG_URI: /auth/anyconnect?uuid=c674f9c2-073c-429c-b745-3c9cea739e81.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-AC_PKG_URL: https://ise.echoplex.io:8905/auth/provisioning/download/e983290e-13de-4740-a75b-11ed663cf009.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-AC_PKG_URI: /auth/provisioning/download/e983290e-13de-4740-a75b-11ed663cf009.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-AC_PKG_VER: 4.10.6090.0.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-STATUS_PATH: /auth/status.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-SessionId: c0a8020aQGyhDwg1HGGXhDS5vAt7DBIfruvrcHGe/z9wYjItozM.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-PostureDomain: posture_domain.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug X-ISE-POSTURE_STATUS: Unknown.
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 442 Level: debug --------------------.
2023/04/18 23:33:33 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x2004 File: target.cpp Line: 464 Level: debug POST request to URL (https://ise.echoplex.io:8905/auth/ng-discovery), returned status 0 <Operation Success.>, stage 2.
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug Failed to retrieve http header X-ISE-PDP-WITH-SESSION.
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug Failed to retrieve http header X-ISE-PDPS-IN-DEPLOYMENT.
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug Failed to retrieve http header X-ISE-POSTURE-NO-SESSION.
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug Failed to retrieve http header X-ISE-PROBE-STATUS.
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug Failed to retrieve http header X-ISE-PRA_CONFIG.
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug Failed to retrieve http header X-ISE-NG_DISCOVERY_PATH.
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug Failed to retrieve http header X-ISE-BACKUP_SERVERS.
2023/04/18 23:33:33 [Information] aciseagent Function: Target::probeRecentConnectedHeadEnd Thread Id: 0x2004 File: target.cpp Line: 556 Level: debug Posture status for Ng-Discovery target ise.echoplex.io with path /auth/ng-discovery is (Unknown)..
2023/04/18 23:33:33 [Information] aciseagent Function: Target::Probe Thread Id: 0x2004 File: target.cpp Line: 212 Level: debug Status of Ng-Discovery target ise.echoplex.io with path /auth/ng-discovery is 1 <Server is found.>.
2023/04/18 23:33:34 [Information] aciseagent Function: hs_transport_winhttp_get Thread Id: 0x4990 File: hs_transport_winhttp.c Line: 4829 Level: debug unable to send request: 12002.
2023/04/18 23:33:34 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0x4990 File: target.cpp Line: 261 Level: debug GET request to URL (http://enroll.cisco.com/auth/discovery), returned status -1 <Operation Failed.>.
2023/04/18 23:33:34 [Information] aciseagent Function: Target::Probe Thread Id: 0x4990 File: target.cpp Line: 212 Level: debug Status of Redirection target enroll.cisco.com is 6 <Not Reachable.>.
At this point I am not sure where I am supposed to look at next to resolve this issue. Any hints would be great.
04-19-2023 10:41 AM
What is the behavior seen on AnyConnect?
I see the HTTPs probe to ISE is passing
debug POST request to URL (https://ise.echoplex.io:8905/auth/ng-discovery), returned status 0 <Operation Success.>
Cross check below pointers from client while it is connected:
I would suggest opening a TAC case.
04-19-2023 11:00 AM
It resolves correctly. I actually removed AnyConnect and re-installed it. Added in the ISEPostureCFG again. Restarted the ISP Posture service and boom, it connected. However, it failed the downloader. So I removed it again, changed the compliance module to a version below it. After this it stopped connecting. So frustrating.
04-20-2023 10:09 AM
What is the version of ISE, AnyConnect and Compliance module in your setup?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: