Solved: Re: ISE Posture and CoA Error

Steven Williams · ‎04-02-2019

I am having some issue with my VPN posture process, and I can't seem to figure it out. Its telling me there is a CoA error but I know CoA is working because I have another policy with ISE working with the ASA device just fine which is using CoA.

I think the issue is possibly with an ACL after the posture scan is completed. The client grabs the posture unknown dACL and gets redirected but never gets the final dACL i need it to get.

The redirect on the ASA says deny DHCP, DNS, ISE Servers, internet port 80/443 and then permit ip any after that.

ASA ACL:

access-list ISE_POSTURE_REDIRECT extended deny udp any eq bootpc any eq bootps
access-list ISE_POSTURE_REDIRECT extended deny udp any any eq domain
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.20.0.85
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.81.3.25
access-list ISE_POSTURE_REDIRECT extended permit ip any any
access-list ISE_POSTURE_REDIRECT extended deny ip any any

!

aaa-server BNA_ISE protocol radius
authorize-only
interim-accounting-update periodic 3
merge-dacl before-avpair
dynamic-authorization
aaa-server BNA_ISE (Management) host 10.20.0.85
retry-interval 3
timeout 30
key *****
no mschapv2-capable
aaa-server BNA_ISE (Management) host 10.81.3.25
retry-interval 3
timeout 30
key *****

!

So it looks like it gets though the unknown posture assessment and then just fails when it needs to give out the dACL for the access permitted for that user.

Suggestions?

Mike.Cifelli · ‎04-03-2019

So the logic of the Redirect ACL on your ASA is actually backwards. What I mean by this is identified below:
access-list ISE_POSTURE_REDIRECT extended deny udp any eq bootpc any eq bootps (permit)
access-list ISE_POSTURE_REDIRECT extended deny udp any any eq domain (permit)
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.20.0.85 (permit)
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.81.3.25 (permit)
access-list ISE_POSTURE_REDIRECT extended permit ip any any (deny)
access-list ISE_POSTURE_REDIRECT extended deny ip any any (permit; dont need; redundant)

For your compliant authz result dacl you need to have the same ACL on your ASA. For example:

User passes scan; ISE authz result is permit any; The dacl name is AnyConnect_Compliant; On your ASA ACL manager create an ACL with same name "AnyConnect_Compliant" permit ip any any; Also, ensure that port 1700 is not blocked in the path.

View solution in original post

Francesco Molino · ‎04-02-2019

Hi

The issue you're getting is when your device become compliant, right?

Can you share your policy and dACL you're trying to push?

Did you configure the auto detect convert acl format when it is received on the asa?

Have you ran a debug to see what the asa is receiving or telling to ise?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎04-03-2019

What is auto detect convert?

What debugs should I run to see this?

Mike.Cifelli · ‎04-03-2019

So the logic of the Redirect ACL on your ASA is actually backwards. What I mean by this is identified below:
access-list ISE_POSTURE_REDIRECT extended deny udp any eq bootpc any eq bootps (permit)
access-list ISE_POSTURE_REDIRECT extended deny udp any any eq domain (permit)
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.20.0.85 (permit)
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.81.3.25 (permit)
access-list ISE_POSTURE_REDIRECT extended permit ip any any (deny)
access-list ISE_POSTURE_REDIRECT extended deny ip any any (permit; dont need; redundant)

For your compliant authz result dacl you need to have the same ACL on your ASA. For example:

User passes scan; ISE authz result is permit any; The dacl name is AnyConnect_Compliant; On your ASA ACL manager create an ACL with same name "AnyConnect_Compliant" permit ip any any; Also, ensure that port 1700 is not blocked in the path.

Steven Williams · ‎04-03-2019

When the user passes scan the dACL that is given is based on their AD group membership and they are given the access they need on the network.

So the dACL looks like this that the user needs to get once the posture scan is done and client is "compliant"

remark IT User Access
permit ip any 10.199.199.0 255.255.255.0
permit ip any 10.81.0.0 255.255.0.0
permit ip any 10.20.0.0 255.255.0.0
permit ip any 192.168.1.0 255.255.255.0
permit ip any 192.168.10.0 255.255.255.0
permit ip any 192.168.7.0 255.255.255.0
permit ip any 192.168.242.0 255.255.255.0
permit ip any 192.168.254.0 255.255.255.0
permit ip any 172.16.3.0 255.255.255.0
permit ip any 192.168.21.0 255.255.255.0

remark Lab Access
permit ip any 10.0.1.0 255.255.255.0
permit ip any 10.0.10.0 255.255.255.0
permit ip any 10.0.100.0 255.255.255.0
permit ip any 192.168.13.0 255.255.255.0

remark Deny Internal Segments
deny ip any 192.168.0.0 255.255.0.0
deny ip any 10.0.0.0 255.0.0.0
deny ip any 172.16.0.0 255.240.0.0

remark Allow INET
permit ip any any

This is the policy set:

Steven Williams · ‎04-03-2019

Also this is what my logs are saying....10.20.0.85 is ISE and 10.199.199.* is VPN client IP address.

4/2/19 7:59:05.000 PM	Apr 2 19:59:05 bna-asacore-01.eftdomain.net Apr 02 2019 19:59:07: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/8443 to 10.199.199.12/60526 flags FIN PSH ACK on interface YELLOW_PROD host = bna-asacore-01.eftdomain.net source = udp:514 sourcetype = cisco:asa
	4/2/19 7:59:05.000 PM	Apr 2 19:59:05 bna-asacore-01.eftdomain.net Apr 02 2019 19:59:06: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/8443 to 10.199.199.12/60520 flags FIN PSH ACK on interface YELLOW_PROD host = bna-asacore-01.eftdomain.net source = udp:514 sourcetype = cisco:asa
	4/2/19 7:58:21.000 PM	Apr 2 19:58:21 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60527 to 10.20.0.85/8443 flags RST on interface outside host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa
	4/2/19 7:58:08.000 PM	Apr 2 19:58:08 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60523 to 10.20.0.85/8443 flags RST on interface outside host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa
	4/2/19 7:58:08.000 PM	Apr 2 19:58:08 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60522 to 10.20.0.85/8443 flags ACK on interface outside host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa
	4/2/19 7:57:41.000 PM	Apr 2 19:57:41 bna-asacore-01.eftdomain.net Apr 02 2019 19:57:42: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/443 to 10.199.199.12/60429 flags FIN ACK on interface YELLOW_PROD host = bna-asacore-01.eftdomain.net source = udp:514 sourcetype = cisco:asa
	4/2/19 7:57:41.000 PM	Apr 2 19:57:41 bna-asacore-01.eftdomain.net Apr 02 2019 19:57:42: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/443 to 10.199.199.12/60429 flags ACK on interface YELLOW_PROD host = bna-asacore-01.eftdomain.net source = udp:514 sourcetype = cisco:asa
	4/2/19 7:57:41.000 PM	Apr 2 19:57:41 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60426 to 10.20.0.85/443 flags RST on interface outside host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa
	4/2/19 7:57:41.000 PM	Apr 2 19:57:41 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60428 to 10.20.0.85/443 flags RST on interface outside host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa
	4/2/19 7:57:00.000 PM	Apr 2 19:57:00 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60343 to 10.20.0.85/443 flags RST on interface outside host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa
	4/2/19 7:57:00.000 PM	Apr 2 19:57:00 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60337 to 10.20.0.85/443 flags RST on interface outside host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa
	4/2/19 7:57:00.000 PM	Apr 2 19:57:00 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/443 to 10.199.199.12/60338 flags FIN ACK on interface INSIDE host = 10.53.0.251 source = udp:514 sourcetype = cisco:asa

Steven Williams · ‎04-03-2019

BNA-VPN-TEST-01# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : stevenwilliams Index : 7842
Assigned IP : 10.199.199.12 Public IP : *
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)3DES
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA1
Bytes Tx : 175919 Bytes Rx : 163209
Pkts Tx : 664 Pkts Rx : 985
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : SSLVPN Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:04:33 CST Wed Apr 3 2019
Duration : 0h:01m:36s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a3500fb01ea20005ca4cb81
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 7842.1
Public IP : *
Encryption : none Hashing : none
TCP Src Port : 10780 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 5 Minutes Idle TO Left : 3 Minutes
Client OS : win
Client OS Ver: 10.0.17134
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 8052 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 7842.2
Assigned IP : 10.199.199.12 Public IP : *
Encryption : AES256 Hashing : SHA256
Ciphersuite : DHE-RSA-AES256-SHA256
Encapsulation: TLSv1.2 TCP Src Port : 10783
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 5 Minutes Idle TO Left : 3 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 8404 Bytes Rx : 424
Pkts Tx : 9 Pkts Rx : 6
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 7842.3
Assigned IP : 10.199.199.12 Public IP : *
Encryption : 3DES Hashing : SHA1
Ciphersuite : DES-CBC3-SHA
Encapsulation: DTLSv1.0 UDP Src Port : 9424
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 5 Minutes Idle TO Left : 5 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 161835 Bytes Rx : 164630
Pkts Tx : 661 Pkts Rx : 994
Pkts Tx Drop : 0 Pkts Rx Drop : 0

ISE Posture:
Redirect URL : https://BNAPINFISE001.eftdomain.net:8443/portal/gateway?sessionId=0a3500fb01ea20005ca4cb81&portal=0d2e...
Redirect ACL : ISE_POSTURE_REDIRECT

BNA-VPN-TEST-01# show log
Syslog logging: enabled
Facility: 21
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level warnings, 45562 messages logged
Buffer logging: level informational, 3344774 messages logged
Trap logging: level informational, facility 21, 6377800 messages logged
Logging to INSIDE 10.20.0.102, UDP TX:1862789 errors: 30 dropped: 235
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level debugging, 8235696 messages logged
lliams)
%ASA-6-302014: Teardown TCP connection 1341232 for outside:10.199.199.12/56013(LOCAL\stevenwilliams) to outside:13.107.4.52/80 duration 0:00:00 bytes 300 TCP FINs from outside (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341233 for outside:10.199.199.12/49673 (10.199.199.12/49673)(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 (10.20.42.41/161) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/49673 to INSIDE:10.20.42.41/161 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302016: Teardown UDP connection 1341233 for outside:10.199.199.12/49673(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 duration 0:00:00 bytes 0 (stevenwilliams)
%ASA-6-305012: Teardown dynamic TCP translation from outside:10.199.199.12/54934(LOCAL\stevenwilliams) to outside:*/54934 duration 0:00:31
%ASA-6-305012: Teardown dynamic TCP translation from outside:10.199.199.12/54935(LOCAL\stevenwilliams) to outside:*/54935 duration 0:00:31
%ASA-6-302013: Built inbound TCP connection 1341234 for outside:10.199.199.12/56010 (*/56010)(LOCAL\stevenwilliams) to outside:65.199.248.12/443 (65.199.248.12/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56010 to outside:65.199.248.12/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341234 for outside:10.199.199.12/56010(LOCAL\stevenwilliams) to outside:65.199.248.12/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341235 for outside:10.199.199.12/53267 (10.199.199.12/53267)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-305011: Built dynamic TCP translation from outside:10.199.199.12/56015(LOCAL\stevenwilliams) to outside:*/56015
%ASA-6-302013: Built inbound TCP connection 1341236 for outside:10.199.199.12/56015 (*/56015)(LOCAL\stevenwilliams) to outside:8.253.185.120/80 (8.253.185.120/80) (stevenwilliams)
%ASA-6-302013: Built inbound TCP connection 1341237 for outside:10.199.199.12/56016 (10.199.199.12/56016)(LOCAL\stevenwilliams) to INSIDE:10.20.0.85/8443 (10.20.0.85/8443) (stevenwilliams)
%ASA-6-305011: Built dynamic TCP translation from outside:10.199.199.12/56017(LOCAL\stevenwilliams) to outside:*/56017
%ASA-6-302013: Built inbound TCP connection 1341238 for outside:10.199.199.12/56017 (*/56017)(LOCAL\stevenwilliams) to outside:52.114.132.21/443 (52.114.132.21/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56017 to outside:52.114.132.21/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341238 for outside:10.199.199.12/56017(LOCAL\stevenwilliams) to outside:52.114.132.21/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56011 to INSIDE:10.20.0.94/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302013: Built inbound TCP connection 1341239 for outside:10.199.199.12/56011 (10.199.199.12/56011)(LOCAL\stevenwilliams) to INSIDE:10.20.0.94/443 (10.20.0.94/443) (stevenwilliams)
%ASA-6-302014: Teardown TCP connection 1341239 for outside:10.199.199.12/56011(LOCAL\stevenwilliams) to INSIDE:10.20.0.94/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302014: Teardown TCP connection 1341237 for outside:10.199.199.12/56016(LOCAL\stevenwilliams) to INSIDE:10.20.0.85/8443 duration 0:00:00 bytes 1691 TCP FINs from outside (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341235 for outside:10.199.199.12/53267(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 205 (stevenwilliams)
%ASA-6-302014: Teardown TCP connection 1341236 for outside:10.199.199.12/56015(LOCAL\stevenwilliams) to outside:8.253.185.120/80 duration 0:00:00 bytes 300 TCP FINs from outside (stevenwilliams)
%ASA-6-302013: Built inbound TCP connection 1341240 for outside:10.199.199.12/56017 (*/56017)(LOCAL\stevenwilliams) to outside:52.114.132.21/443 (52.114.132.21/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56017 to outside:52.114.132.21/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341240 for outside:10.199.199.12/56017(LOCAL\stevenwilliams) to outside:52.114.132.21/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341241 for outside:10.199.199.12/49673 (10.199.199.12/49673)(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 (10.20.42.41/161) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/49673 to INSIDE:10.20.42.41/161 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302016: Teardown UDP connection 1341241 for outside:10.199.199.12/49673(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 duration 0:00:00 bytes 0 (stevenwilliams)
%ASA-6-305011: Built dynamic TCP translation from outside:10.199.199.12/56018(LOCAL\stevenwilliams) to outside:*/56018
%ASA-6-302013: Built inbound TCP connection 1341242 for outside:10.199.199.12/56018 (*/56018)(LOCAL\stevenwilliams) to outside:23.55.210.189/443 (23.55.210.189/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56018 to outside:23.55.210.189/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341242 for outside:10.199.199.12/56018(LOCAL\stevenwilliams) to outside:23.55.210.189/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341243 for outside:10.199.199.12/49512 (10.199.199.12/49512)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341244 for outside:10.199.199.12/59420 (10.199.199.12/59420)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341245 for outside:10.199.199.12/63488 (10.199.199.12/63488)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341246 for outside:10.199.199.12/51261 (10.199.199.12/51261)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341247 for outside:10.199.199.12/61446 (10.199.199.12/61446)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341248 for outside:10.199.199.12/65519 (10.199.199.12/65519)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341249 for outside:10.199.199.12/63895 (10.199.199.12/63895)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341243 for outside:10.199.199.12/49512(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 139 (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341244 for outside:10.199.199.12/59420(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 132 (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341245 for outside:10.199.199.12/63488(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 134 (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341246 for outside:10.199.199.12/51261(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 140 (stevenwilliams)
%ASA-6-302013: Built outbound TCP connection 1341250 for Management:10.20.0.85/49 (10.20.0.85/49) to identity:10.20.63.74/61529 (10.20.63.74/61529)
%ASA-6-302016: Teardown UDP connection 1341247 for outside:10.199.199.12/61446(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 141 (stevenwilliams)

Steven Williams · ‎04-03-2019

Found it! It was a downstream ACL issue on my Core Firewall. The rule was set for tcp port 1700 and not udp port 1700 so now its getting the dACL.

Mike.Cifelli · ‎04-03-2019

Good job. So one of my suggested areas to check from my original comment. Glad it is working!