cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1705
Views
0
Helpful
4
Replies
Silver_Cat
Beginner

ISE/ASA COA send to Anyconnect Endpoint Public IP during Posturing over SSL VPN

Hello all , I am seeing this strange issue while testing Anyconnect SSL VPN client with Posturing agent.

The process starts of fine , Anyconnect VPN gets connected , Posturing agents is talking to ISE but during complaint phase 

 COA from ISE getting failed with error message

"Event 5417 Dynamic Authorization failed"

"11213 No response received from Network Access Device after sending a Dynamic Authorization request " .

 

I can see that the endpoint ID is anyconnect client public ip instead of Mac address take a look at the attached screenshot . 

ISE v2.4

Anyconnect v4.7

ASA is running 9.9.2

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Milos_Jovanovic
VIP Collaborator

Based on cases I had and my understanding, I would explain it this way:

  • Client connects to VPN, it is in the Unknown state and triggers the posture assessment
  • Posture assessment takes some time (usualy more than 20+ seconds)
  • During that time, something happens with the client (e.g. client reconnects) and he is no longer on VPN with his session ID from before
  • ISE completes posture assessment, sends CoA, and expects ACK from ASA
  • As ASA doesn't have that session ID anymore, it replies with NACK, which generates alarm message

I tried to do some troubleshooting of 'Event 5417 Dynamic Authorization failed' for VPN sessions for one of my clients as soon as alarm appeared, and once I tried to analyze it deeper on ASA, I realized that specific user/session exists no more on VPN GW at that time.

BR,

Milos

View solution in original post

4 REPLIES 4
Francesco Molino
VIP Mentor

Hi

With just a screenshot it will be difficult to found what the problem is.
Is it a new deployment or you already have posture and upgrading to anyconnect 4.7?
I'm asking because i still have a tac going on with anyconnect 4.7 which has weird results.
Can you test with anyconnect 4.6? Or share more info of your posture process and even debugs if you have?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
paul
Advocate

Did you ever figure out an answer to this?

Milos_Jovanovic
VIP Collaborator

Based on cases I had and my understanding, I would explain it this way:

  • Client connects to VPN, it is in the Unknown state and triggers the posture assessment
  • Posture assessment takes some time (usualy more than 20+ seconds)
  • During that time, something happens with the client (e.g. client reconnects) and he is no longer on VPN with his session ID from before
  • ISE completes posture assessment, sends CoA, and expects ACK from ASA
  • As ASA doesn't have that session ID anymore, it replies with NACK, which generates alarm message

I tried to do some troubleshooting of 'Event 5417 Dynamic Authorization failed' for VPN sessions for one of my clients as soon as alarm appeared, and once I tried to analyze it deeper on ASA, I realized that specific user/session exists no more on VPN GW at that time.

BR,

Milos

hslai
Cisco Employee

Milos is correct. It's normal that the public IP shown in the CoA requests.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube