05-22-2018 07:54 AM
Hi all,
searching for a posibillity to send a COA via ISE to an ASA to terminate a VPN connection. The examples that I found require a MAC address with the API call, but VPNs don't have a MAC address.
Is there a way to do that?
Thanks in advance.
Roland
Solved! Go to Solution.
05-22-2018 12:14 PM - last edited on 05-29-2019 07:38 AM by Jason Kunst
See CSCuz18895. It does not seem supported today.
It sounds like a feature request.
For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback
05-22-2018 11:02 AM
CoA is Change of Authorization that happens when a certain change of state happens for eg: if you run Anyconnect posture from non-compliant to compliant.
I am not sure what is the use case here, but here is a documentation I found that may be of use that will explain in detail on integrating ASA and ISE for CoA
https://communities.cisco.com/docs/DOC-68158
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
-Krishnan
05-22-2018 12:14 PM - last edited on 05-29-2019 07:38 AM by Jason Kunst
See CSCuz18895. It does not seem supported today.
It sounds like a feature request.
For break fix issues please reach out to the TAC. For feature requests please reach out to our Product managers for cisco employees at http://cs.co/ise-pm or public at http://cs.co/ise-feedback
05-22-2018 01:22 PM
Hey Hsing, do you know if that defect applies to all VPN sessions or just IPSec? The public notes only mention IPSec so I’m just wondering.
Thanks!
05-22-2018 02:59 PM
I believe it unique to ASA but no difference between IPSec or SSL VPN. The main issue is that ASA requiring Acct-Session-ID and Audit-Session-ID in CoA requests and the CoA by the REST API is not sending them.
We could probably try EPS disconnects instead of M&T CoA.
05-22-2018 05:32 PM
I tested it and confirmed M&T REST API for CoA not working with SSL VPN as well so I updated the bug. EPS Quarantine and UnQuarantine By IP do terminate the VPN sessions.
05-29-2019 03:08 AM
Hello,
I'm having the same problem, using ISE 2.4 patch 8 with ASA 9.2.4.
Is Cisco planning to fix this bug?
Regards
Silla Rizzoli
05-29-2019 07:39 AM
05-29-2019 07:47 AM
Hello,
it's not really a feature request, because if I invoke CoA from the Active Sessions ISE GUI, it works just fine.
I'll reach out to TAC to try to get it fixed.
Regards
Silla Rizzoli
11-26-2019 08:45 AM
Fully agree with you, this is a bug since from guy it is working.
Did you move forward with TAC ?
01-29-2020 03:15 AM
It looks like it's finally solved in ISE 2.4 patch 11; check out the bug -> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz18895
Haven't tried it yet, however.
Best regards
Silla
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: