03-31-2017 04:59 AM - edited 03-11-2019 12:35 AM
We are facing this issue on multiple windows endpoints. If we login with domain user, the posture scan gets stuck at 10%. Posture conditions are in Audit mode .
But, when we login with local user or admin user on same machine, we are able to complete posture scan and get access.
We are using ISE 2.1 Patch 3, Anyconnect 4.3.05017 & Anyconnect Windows Compliance Module 3.6.11017.2
06-27-2017 01:04 PM
06-27-2017 02:21 PM
This is expected. The Posture will stay at 30% if the compliance check fails- waiting for the user to remediate. It will then timeout after the remediation timeout period.
Since you are using the ISE 2.2 version, you should look at using Posture in stealth mode with the latest compliance module and Anyconnect 4.4 version. This provides better user experience for ISE Posture compliance failures. This is explained here:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.html#reference_5328396A402F4ACF8C7F0F78C7902825
08-18-2019 08:37 PM
Has this been resolved? I am experiencing similar issue - our configuration is with manual remediation. Should it be the anyconnect will have pop-up window for action required and not stuck at system scan?
07-08-2021 11:54 PM
If the endpoint is not compliant then the user will get a popup with the message which is configured as part of results.
07-09-2021 05:13 AM
I also had this issue recently. I worked with TAC quite a bit. Here are some steps we took that have seemed to fix/quiet the 10% hang issue:
-Upgrade compliance module on clients to latest version
-Upgrade AnyConnect to newer version including all modules (specifically for this case the posture/compliance modules of course)
-Determine if any AV/security software is causing the hung module; test accordingly
-Review posture checks and test one by one to determine if there is a check that is causing the delay
While testing we actually figured out that reseating the cable if on wired or toggling adapter for wireless seemed to speed up the 10% hang issue. Some of our admins even went as far as modifying user profiles on respective machines which also alleviated the issue.
Lastly, for anyone facing this issue I strongly suggest working with TAC as they have an internal tool you can get to aide in gathering more intel from troubled clients. HTH!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide