Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
5
Helpful
3
Replies

ISE AnyConnect Posture / DNS issue

Go to solution
bilal Adel Mohammed
Level 1
Level 1

‎07-02-2019 07:29 PM

Dears , 

I need your help with my problem , 

As you know almost all Client want to using internet while they are using anyconnect session . this is operated normally by adding split-tunnel to the configuration . 

But when I configure anyconnect posture my problem is appear . the PCs is required DNS with ability to resolved ISE hostname .
I solved the problem temporary by add static DNS record to my PC but it's  unscalable method  .
Does anyone  have another way to avoid this limitation ? 

note : I already push my private  DNS  information with AnyConnect configuration 
           I mean the AnyConnect  Client  received IP  Address , Split-Tunnel and DNS .

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-03-2019 05:14 AM

Please share the contents of your redirect acl you use when posture status is unknown. Should look something like this:
Extended IP access list ISE_REDIRECT
deny ip any host <ISE>
deny udp any any eq domain
permit ip any any
The logic is flipped. Good luck & HTH!

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-03-2019 05:14 AM

Please share the contents of your redirect acl you use when posture status is unknown. Should look something like this:
Extended IP access list ISE_REDIRECT
deny ip any host <ISE>
deny udp any any eq domain
permit ip any any
The logic is flipped. Good luck & HTH!

Go to solution
bilal Adel Mohammed
Level 1
Level 1
In response to Mike.Cifelli

‎07-10-2019 09:27 PM

Dear Mike 

First of all I do apologize for the delay because i was outside my office  , 

Please find the below Redirect ACL ( in ASA ) 

access-list AnyConnect-Redirect extended deny udp any any eq domain
access-list AnyConnect-Redirect extended deny udp any eq bootpc any eq bootps
access-list AnyConnect-Redirect extended deny udp any host 10.1.2.95 eq 8905
access-list AnyConnect-Redirect extended deny tcp any host 10.1.2.95 eq 8905
access-list AnyConnect-Redirect extended deny udp any host 10.1.2.95 eq 8909
access-list AnyConnect-Redirect extended deny tcp any host 10.1.2.95 eq 8909
access-list AnyConnect-Redirect extended deny tcp any host 10.1.2.95 eq 8443
access-list AnyConnect-Redirect extended permit ip any any 

### 10.1.2.95 is the ISE server

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-03-2019 11:40 AM

Adding to Mike.Cifelli...

Please check the DNS servers configured for the RA-VPN clients. Then, ensure the DNS queries and responses will go through to the internal DNS servers either as Mike.Cifelli suggested or use DACL or interface ACL to permit that.

0 Helpful
Customers Also Viewed These Support Documents