Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2117
Views
0
Helpful
1
Replies

ISE No Policy Server Detected error

atif.mohamed
Level 1
Level 1

‎04-14-2020 12:27 PM

Hi,

 

Please help me remediate this annoying issue that many users are seeing on their anyconnect (no policy server), i am not sure where the issue is and TAC is also not being helpful.

Configuration:

ISE V 2.0 PAtch 4

ISE discovery host IP is set to one of the PAN nodes 10.X.32.112

ASA V 9.4

Anyconnect 4.7

Compliance Module 3.6.X

 

Observation: The issue fixes after PC reboots

 

Note #1 : We started seeing this after making split tunnel changes due to Corona, earlier there was no split tunnel now everything is split, the split acl type is tunnel specified we only tunnel rFC 1918 and enroll.cisco.com IP.

 

Note #2 : We also have Zscaler proxy app on Pcs, sometimes (not all the times) the issue seems to be resolve when we quit the app.

 

 

 

 

Redirect ACL on ASA
access-list REDIRECT remark permit DC1 PSN's and VIP
access-list REDIRECT extended deny ip any host X.X.X.61
access-list REDIRECT extended deny ip any host X.X.32.112
access-list REDIRECT extended deny ip any host X.X.32.113
access-list REDIRECT extended deny ip any host X.X.32.114
access-list REDIRECT extended deny ip any host X.X.32.115
access-list REDIRECT extended deny ip any host X.X.32.116
access-list REDIRECT remark permit DC2 PSNs and VIP
access-list REDIRECT extended deny ip any host X.X.X.61
access-list REDIRECT extended deny ip any host X.X.32.112
access-list REDIRECT extended deny ip any host X.X.32.113
access-list REDIRECT extended deny ip any host X.X.32.114
access-list REDIRECT extended deny ip any host X.X.32.115
access-list REDIRECT extended deny ip any host X.X.32.116
access-list REDIRECT remark permit DC3 PSNs and VIP
access-list REDIRECT extended deny ip any host X.X.X.61
access-list REDIRECT extended deny ip any host X.X.32.110
access-list REDIRECT extended deny ip any host X.X.32.111
access-list REDIRECT extended deny ip any host X.X.32.112
access-list REDIRECT extended deny ip any host X.X.32.113
access-list REDIRECT extended deny ip any host X.X.32.114
access-list REDIRECT extended deny ip any host X.X.32.115
access-list REDIRECT extended deny ip any host X.X.32.116
access-list REDIRECT extended deny udp any any eq domain
access-list REDIRECT extended permit ip any any

 

Your help would be very much appreciated.

 

Thanks.

Atif

0 Helpful
1 Reply 1

ade5
Level 1
Level 1

‎04-14-2020 01:29 PM

you said issue seems to fix after reboot. try doing a packet capture after reboot and see if traffic to ise server is going through or not . I'd let that packet capture run until the issue has come back . check the capture and see if there is an application that blocks it.

0 Helpful
Customers Also Viewed These Support Documents