This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
searching for a posibillity to send a COA via ISE to an ASA to terminate a VPN connection. The examples that I found require a MAC address with the API call, but VPNs don't have a MAC address.
Is there a way to do that?
Thanks in advance.
Solved! Go to Solution.
CoA is Change of Authorization that happens when a certain change of state happens for eg: if you run Anyconnect posture from non-compliant to compliant.
I am not sure what is the use case here, but here is a documentation I found that may be of use that will explain in detail on integrating ASA and ISE for CoA
Hey Hsing, do you know if that defect applies to all VPN sessions or just IPSec? The public notes only mention IPSec so I’m just wondering.
I believe it unique to ASA but no difference between IPSec or SSL VPN. The main issue is that ASA requiring Acct-Session-ID and Audit-Session-ID in CoA requests and the CoA by the REST API is not sending them.
We could probably try EPS disconnects instead of M&T CoA.
I tested it and confirmed M&T REST API for CoA not working with SSL VPN as well so I updated the bug. EPS Quarantine and UnQuarantine By IP do terminate the VPN sessions.
it's not really a feature request, because if I invoke CoA from the Active Sessions ISE GUI, it works just fine.
I'll reach out to TAC to try to get it fixed.
It looks like it's finally solved in ISE 2.4 patch 11; check out the bug -> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz18895
Haven't tried it yet, however.