Solved: ISE 3.1 Incorrect information in Context Visibility - Endpoints.

taurus1975 · ‎10-19-2021

Hi!

After clients connected via AnyConnect and succesfully passed posture and CoA,

information in Context Visibility - Endpoints about active endpoints is incorrect.

Status - "disconnected", but it should be "Connected"

Authorization policy - "Posture Unknown", but it should be "Posture Comliant"

But in the same time other information is correct IP Address, Compliance status, etc.

In Operations RADIUS Live Sessions also all correct.

What could be the problem?

ISE 3.1, AnyConnect 4.10.02086, ASA5585 9.12

hslai · ‎12-19-2021

See CSCvv30274 Context Visibility shows incorrect Authorization profile and policy for VPN Posture scenario

I've not seen a case with incorrect connection status on VPN sessions, tho.

View solution in original post

Arne Bier · ‎12-16-2021

Hello @taurus1975

Silly question but, does the VPN concentrator send RADIUS Accounting to ISE? And if so, are Accounting Interim-Updates enabled?

Sometimes it's a case of ISE not being able to determine the state of a RADIUS Session, because ISE has not received any acknowledgement from the NAS via RADIUS Accounting requests.

taurus1975 · ‎12-21-2021

Yes, Accounting Interim-Updates enabled.

A certain number of endpoints are marked as connected, about 600 out of 4000.

I don’t see the difference between them.

If delete an endpoint and reconnect, it becomes marked as connected for a while(about few days).

All endpoins on screenshot have an ip address and realy connected.

hslai · ‎12-19-2021

See CSCvv30274 Context Visibility shows incorrect Authorization profile and policy for VPN Posture scenario

I've not seen a case with incorrect connection status on VPN sessions, tho.

taurus1975 · ‎12-21-2021

Thank you, this is exactly that bug.