After clients connected via AnyConnect and succesfully passed posture and CoA,
information in Context Visibility - Endpoints about active endpoints is incorrect.
Status - "disconnected", but it should be "Connected"
Authorization policy - "Posture Unknown", but it should be "Posture Comliant"
But in the same time other information is correct IP Address, Compliance status, etc.
In Operations RADIUS Live Sessions also all correct.
What could be the problem?
ISE 3.1, AnyConnect 4.10.02086, ASA5585 9.12
Go to Solution.
See CSCvv30274 Context Visibility shows incorrect Authorization profile and policy for VPN Posture scenario
I've not seen a case with incorrect connection status on VPN sessions, tho.
View solution in original post
Silly question but, does the VPN concentrator send RADIUS Accounting to ISE? And if so, are Accounting Interim-Updates enabled?
Sometimes it's a case of ISE not being able to determine the state of a RADIUS Session, because ISE has not received any acknowledgement from the NAS via RADIUS Accounting requests.
Yes, Accounting Interim-Updates enabled.
A certain number of endpoints are marked as connected, about 600 out of 4000.
I don’t see the difference between them.
If delete an endpoint and reconnect, it becomes marked as connected for a while(about few days).
All endpoins on screenshot have an ip address and realy connected.
Thank you, this is exactly that bug.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: