Solved: Re: ISE/ASA COA send to Anyconnect Endpoint Public IP during Posturing

Silver_Cat · ‎04-02-2019

Hello all , I am seeing this strange issue while testing Anyconnect SSL VPN client with Posturing agent.

The process starts of fine , Anyconnect VPN gets connected , Posturing agents is talking to ISE but during complaint phase

COA from ISE getting failed with error message

"Event 5417 Dynamic Authorization failed"

"11213 No response received from Network Access Device after sending a Dynamic Authorization request " .

I can see that the endpoint ID is anyconnect client public ip instead of Mac address take a look at the attached screenshot .

ISE v2.4

Anyconnect v4.7

ASA is running 9.9.2

Milos_Jovanovic · ‎08-10-2021

Based on cases I had and my understanding, I would explain it this way:

Client connects to VPN, it is in the Unknown state and triggers the posture assessment
Posture assessment takes some time (usualy more than 20+ seconds)
During that time, something happens with the client (e.g. client reconnects) and he is no longer on VPN with his session ID from before
ISE completes posture assessment, sends CoA, and expects ACK from ASA
As ASA doesn't have that session ID anymore, it replies with NACK, which generates alarm message

I tried to do some troubleshooting of 'Event 5417 Dynamic Authorization failed' for VPN sessions for one of my clients as soon as alarm appeared, and once I tried to analyze it deeper on ASA, I realized that specific user/session exists no more on VPN GW at that time.

BR,

Milos

View solution in original post

Francesco Molino · ‎04-02-2019

Hi

With just a screenshot it will be difficult to found what the problem is.
Is it a new deployment or you already have posture and upgrading to anyconnect 4.7?
I'm asking because i still have a tac going on with anyconnect 4.7 which has weird results.
Can you test with anyconnect 4.6? Or share more info of your posture process and even debugs if you have?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

paul · ‎08-10-2021

Did you ever figure out an answer to this?

Milos_Jovanovic · ‎08-10-2021

Based on cases I had and my understanding, I would explain it this way:

Client connects to VPN, it is in the Unknown state and triggers the posture assessment
Posture assessment takes some time (usualy more than 20+ seconds)
During that time, something happens with the client (e.g. client reconnects) and he is no longer on VPN with his session ID from before
ISE completes posture assessment, sends CoA, and expects ACK from ASA
As ASA doesn't have that session ID anymore, it replies with NACK, which generates alarm message

I tried to do some troubleshooting of 'Event 5417 Dynamic Authorization failed' for VPN sessions for one of my clients as soon as alarm appeared, and once I tried to analyze it deeper on ASA, I realized that specific user/session exists no more on VPN GW at that time.

BR,

Milos

hslai · ‎08-13-2021

Milos is correct. It's normal that the public IP shown in the CoA requests.

ISE/ASA COA send to Anyconnect Endpoint Public IP during Posturing over SSL VPN

ISE Webinars

CiscoISE on YouTube