Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3377
Views
0
Helpful
4
Replies

ISE/ASA COA send to Anyconnect Endpoint Public IP during Posturing over SSL VPN

Go to solution
Silver_Cat
Level 1
Level 1

‎04-02-2019 04:44 PM - edited ‎04-02-2019 04:47 PM

Hello all , I am seeing this strange issue while testing Anyconnect SSL VPN client with Posturing agent.

The process starts of fine , Anyconnect VPN gets connected , Posturing agents is talking to ISE but during complaint phase 

 COA from ISE getting failed with error message

"Event 5417 Dynamic Authorization failed"

"11213 No response received from Network Access Device after sending a Dynamic Authorization request " .

 

I can see that the endpoint ID is anyconnect client public ip instead of Mac address take a look at the attached screenshot . 

ISE v2.4

Anyconnect v4.7

ASA is running 9.9.2

 

 

 

 

Preview file
61 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-10-2021 08:48 AM

Based on cases I had and my understanding, I would explain it this way:

  • Client connects to VPN, it is in the Unknown state and triggers the posture assessment
  • Posture assessment takes some time (usualy more than 20+ seconds)
  • During that time, something happens with the client (e.g. client reconnects) and he is no longer on VPN with his session ID from before
  • ISE completes posture assessment, sends CoA, and expects ACK from ASA
  • As ASA doesn't have that session ID anymore, it replies with NACK, which generates alarm message

I tried to do some troubleshooting of 'Event 5417 Dynamic Authorization failed' for VPN sessions for one of my clients as soon as alarm appeared, and once I tried to analyze it deeper on ASA, I realized that specific user/session exists no more on VPN GW at that time.

BR,

Milos

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-02-2019 08:40 PM

Hi

With just a screenshot it will be difficult to found what the problem is.
Is it a new deployment or you already have posture and upgrading to anyconnect 4.7?
I'm asking because i still have a tac going on with anyconnect 4.7 which has weird results.
Can you test with anyconnect 4.6? Or share more info of your posture process and even debugs if you have?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
paul
Level 10
Level 10

‎08-10-2021 03:57 AM

Did you ever figure out an answer to this?

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-10-2021 08:48 AM

Based on cases I had and my understanding, I would explain it this way:

  • Client connects to VPN, it is in the Unknown state and triggers the posture assessment
  • Posture assessment takes some time (usualy more than 20+ seconds)
  • During that time, something happens with the client (e.g. client reconnects) and he is no longer on VPN with his session ID from before
  • ISE completes posture assessment, sends CoA, and expects ACK from ASA
  • As ASA doesn't have that session ID anymore, it replies with NACK, which generates alarm message

I tried to do some troubleshooting of 'Event 5417 Dynamic Authorization failed' for VPN sessions for one of my clients as soon as alarm appeared, and once I tried to analyze it deeper on ASA, I realized that specific user/session exists no more on VPN GW at that time.

BR,

Milos

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-13-2021 09:16 PM

Milos is correct. It's normal that the public IP shown in the CoA requests.

0 Helpful
Customers Also Viewed These Support Documents