04-02-2019 06:09 PM
I am having some issue with my VPN posture process, and I can't seem to figure it out. Its telling me there is a CoA error but I know CoA is working because I have another policy with ISE working with the ASA device just fine which is using CoA.
I think the issue is possibly with an ACL after the posture scan is completed. The client grabs the posture unknown dACL and gets redirected but never gets the final dACL i need it to get.
The redirect on the ASA says deny DHCP, DNS, ISE Servers, internet port 80/443 and then permit ip any after that.
ASA ACL:
access-list ISE_POSTURE_REDIRECT extended deny udp any eq bootpc any eq bootps
access-list ISE_POSTURE_REDIRECT extended deny udp any any eq domain
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.20.0.85
access-list ISE_POSTURE_REDIRECT extended deny ip any host 10.81.3.25
access-list ISE_POSTURE_REDIRECT extended permit ip any any
access-list ISE_POSTURE_REDIRECT extended deny ip any any
!
aaa-server BNA_ISE protocol radius
authorize-only
interim-accounting-update periodic 3
merge-dacl before-avpair
dynamic-authorization
aaa-server BNA_ISE (Management) host 10.20.0.85
retry-interval 3
timeout 30
key *****
no mschapv2-capable
aaa-server BNA_ISE (Management) host 10.81.3.25
retry-interval 3
timeout 30
key *****
!
!
So it looks like it gets though the unknown posture assessment and then just fails when it needs to give out the dACL for the access permitted for that user.
Suggestions?
Solved! Go to Solution.
04-03-2019 06:18 AM
04-02-2019 08:35 PM
04-03-2019 04:24 AM
04-03-2019 06:18 AM
04-03-2019 07:30 AM
When the user passes scan the dACL that is given is based on their AD group membership and they are given the access they need on the network.
So the dACL looks like this that the user needs to get once the posture scan is done and client is "compliant"
remark IT User Access
permit ip any 10.199.199.0 255.255.255.0
permit ip any 10.81.0.0 255.255.0.0
permit ip any 10.20.0.0 255.255.0.0
permit ip any 192.168.1.0 255.255.255.0
permit ip any 192.168.10.0 255.255.255.0
permit ip any 192.168.7.0 255.255.255.0
permit ip any 192.168.242.0 255.255.255.0
permit ip any 192.168.254.0 255.255.255.0
permit ip any 172.16.3.0 255.255.255.0
permit ip any 192.168.21.0 255.255.255.0
remark Lab Access
permit ip any 10.0.1.0 255.255.255.0
permit ip any 10.0.10.0 255.255.255.0
permit ip any 10.0.100.0 255.255.255.0
permit ip any 192.168.13.0 255.255.255.0
remark Deny Internal Segments
deny ip any 192.168.0.0 255.255.0.0
deny ip any 10.0.0.0 255.0.0.0
deny ip any 172.16.0.0 255.240.0.0
remark Allow INET
permit ip any any
This is the policy set:
04-03-2019 07:45 AM
Also this is what my logs are saying....10.20.0.85 is ISE and 10.199.199.* is VPN client IP address.
4/2/19 7:59:05.000 PM | Apr 2 19:59:05 bna-asacore-01.eftdomain.net Apr 02 2019 19:59:07: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/8443 to 10.199.199.12/60526 flags FIN PSH ACK on interface YELLOW_PROD
| |
4/2/19 7:59:05.000 PM | Apr 2 19:59:05 bna-asacore-01.eftdomain.net Apr 02 2019 19:59:06: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/8443 to 10.199.199.12/60520 flags FIN PSH ACK on interface YELLOW_PROD
| |
4/2/19 7:58:21.000 PM | Apr 2 19:58:21 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60527 to 10.20.0.85/8443 flags RST on interface outside
| |
4/2/19 7:58:08.000 PM | Apr 2 19:58:08 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60523 to 10.20.0.85/8443 flags RST on interface outside
| |
4/2/19 7:58:08.000 PM | Apr 2 19:58:08 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60522 to 10.20.0.85/8443 flags ACK on interface outside
| |
4/2/19 7:57:41.000 PM | Apr 2 19:57:41 bna-asacore-01.eftdomain.net Apr 02 2019 19:57:42: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/443 to 10.199.199.12/60429 flags FIN ACK on interface YELLOW_PROD
| |
4/2/19 7:57:41.000 PM | Apr 2 19:57:41 bna-asacore-01.eftdomain.net Apr 02 2019 19:57:42: %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/443 to 10.199.199.12/60429 flags ACK on interface YELLOW_PROD
| |
4/2/19 7:57:41.000 PM | Apr 2 19:57:41 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60426 to 10.20.0.85/443 flags RST on interface outside
| |
4/2/19 7:57:41.000 PM | Apr 2 19:57:41 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60428 to 10.20.0.85/443 flags RST on interface outside
| |
4/2/19 7:57:00.000 PM | Apr 2 19:57:00 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60343 to 10.20.0.85/443 flags RST on interface outside
| |
4/2/19 7:57:00.000 PM | Apr 2 19:57:00 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.199.199.12/60337 to 10.20.0.85/443 flags RST on interface outside
| |
4/2/19 7:57:00.000 PM | Apr 2 19:57:00 10.53.0.251 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.85/443 to 10.199.199.12/60338 flags FIN ACK on interface INSIDE
|
04-03-2019 08:13 AM
BNA-VPN-TEST-01# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : stevenwilliams Index : 7842
Assigned IP : 10.199.199.12 Public IP : *
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)3DES
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA1
Bytes Tx : 175919 Bytes Rx : 163209
Pkts Tx : 664 Pkts Rx : 985
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : SSLVPN Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:04:33 CST Wed Apr 3 2019
Duration : 0h:01m:36s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a3500fb01ea20005ca4cb81
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 7842.1
Public IP : *
Encryption : none Hashing : none
TCP Src Port : 10780 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 5 Minutes Idle TO Left : 3 Minutes
Client OS : win
Client OS Ver: 10.0.17134
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 8052 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 7842.2
Assigned IP : 10.199.199.12 Public IP : *
Encryption : AES256 Hashing : SHA256
Ciphersuite : DHE-RSA-AES256-SHA256
Encapsulation: TLSv1.2 TCP Src Port : 10783
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 5 Minutes Idle TO Left : 3 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 8404 Bytes Rx : 424
Pkts Tx : 9 Pkts Rx : 6
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 7842.3
Assigned IP : 10.199.199.12 Public IP : *
Encryption : 3DES Hashing : SHA1
Ciphersuite : DES-CBC3-SHA
Encapsulation: DTLSv1.0 UDP Src Port : 9424
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 5 Minutes Idle TO Left : 5 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.6.03049
Bytes Tx : 161835 Bytes Rx : 164630
Pkts Tx : 661 Pkts Rx : 994
Pkts Tx Drop : 0 Pkts Rx Drop : 0
ISE Posture:
Redirect URL : https://BNAPINFISE001.eftdomain.net:8443/portal/gateway?sessionId=0a3500fb01ea20005ca4cb81&portal=0d2e...
Redirect ACL : ISE_POSTURE_REDIRECT
BNA-VPN-TEST-01# show log
Syslog logging: enabled
Facility: 21
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level warnings, 45562 messages logged
Buffer logging: level informational, 3344774 messages logged
Trap logging: level informational, facility 21, 6377800 messages logged
Logging to INSIDE 10.20.0.102, UDP TX:1862789 errors: 30 dropped: 235
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level debugging, 8235696 messages logged
lliams)
%ASA-6-302014: Teardown TCP connection 1341232 for outside:10.199.199.12/56013(LOCAL\stevenwilliams) to outside:13.107.4.52/80 duration 0:00:00 bytes 300 TCP FINs from outside (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341233 for outside:10.199.199.12/49673 (10.199.199.12/49673)(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 (10.20.42.41/161) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/49673 to INSIDE:10.20.42.41/161 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302016: Teardown UDP connection 1341233 for outside:10.199.199.12/49673(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 duration 0:00:00 bytes 0 (stevenwilliams)
%ASA-6-305012: Teardown dynamic TCP translation from outside:10.199.199.12/54934(LOCAL\stevenwilliams) to outside:*/54934 duration 0:00:31
%ASA-6-305012: Teardown dynamic TCP translation from outside:10.199.199.12/54935(LOCAL\stevenwilliams) to outside:*/54935 duration 0:00:31
%ASA-6-302013: Built inbound TCP connection 1341234 for outside:10.199.199.12/56010 (*/56010)(LOCAL\stevenwilliams) to outside:65.199.248.12/443 (65.199.248.12/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56010 to outside:65.199.248.12/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341234 for outside:10.199.199.12/56010(LOCAL\stevenwilliams) to outside:65.199.248.12/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341235 for outside:10.199.199.12/53267 (10.199.199.12/53267)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-305011: Built dynamic TCP translation from outside:10.199.199.12/56015(LOCAL\stevenwilliams) to outside:*/56015
%ASA-6-302013: Built inbound TCP connection 1341236 for outside:10.199.199.12/56015 (*/56015)(LOCAL\stevenwilliams) to outside:8.253.185.120/80 (8.253.185.120/80) (stevenwilliams)
%ASA-6-302013: Built inbound TCP connection 1341237 for outside:10.199.199.12/56016 (10.199.199.12/56016)(LOCAL\stevenwilliams) to INSIDE:10.20.0.85/8443 (10.20.0.85/8443) (stevenwilliams)
%ASA-6-305011: Built dynamic TCP translation from outside:10.199.199.12/56017(LOCAL\stevenwilliams) to outside:*/56017
%ASA-6-302013: Built inbound TCP connection 1341238 for outside:10.199.199.12/56017 (*/56017)(LOCAL\stevenwilliams) to outside:52.114.132.21/443 (52.114.132.21/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56017 to outside:52.114.132.21/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341238 for outside:10.199.199.12/56017(LOCAL\stevenwilliams) to outside:52.114.132.21/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56011 to INSIDE:10.20.0.94/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302013: Built inbound TCP connection 1341239 for outside:10.199.199.12/56011 (10.199.199.12/56011)(LOCAL\stevenwilliams) to INSIDE:10.20.0.94/443 (10.20.0.94/443) (stevenwilliams)
%ASA-6-302014: Teardown TCP connection 1341239 for outside:10.199.199.12/56011(LOCAL\stevenwilliams) to INSIDE:10.20.0.94/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302014: Teardown TCP connection 1341237 for outside:10.199.199.12/56016(LOCAL\stevenwilliams) to INSIDE:10.20.0.85/8443 duration 0:00:00 bytes 1691 TCP FINs from outside (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341235 for outside:10.199.199.12/53267(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 205 (stevenwilliams)
%ASA-6-302014: Teardown TCP connection 1341236 for outside:10.199.199.12/56015(LOCAL\stevenwilliams) to outside:8.253.185.120/80 duration 0:00:00 bytes 300 TCP FINs from outside (stevenwilliams)
%ASA-6-302013: Built inbound TCP connection 1341240 for outside:10.199.199.12/56017 (*/56017)(LOCAL\stevenwilliams) to outside:52.114.132.21/443 (52.114.132.21/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56017 to outside:52.114.132.21/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341240 for outside:10.199.199.12/56017(LOCAL\stevenwilliams) to outside:52.114.132.21/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341241 for outside:10.199.199.12/49673 (10.199.199.12/49673)(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 (10.20.42.41/161) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/49673 to INSIDE:10.20.42.41/161 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302016: Teardown UDP connection 1341241 for outside:10.199.199.12/49673(LOCAL\stevenwilliams) to INSIDE:10.20.42.41/161 duration 0:00:00 bytes 0 (stevenwilliams)
%ASA-6-305011: Built dynamic TCP translation from outside:10.199.199.12/56018(LOCAL\stevenwilliams) to outside:*/56018
%ASA-6-302013: Built inbound TCP connection 1341242 for outside:10.199.199.12/56018 (*/56018)(LOCAL\stevenwilliams) to outside:23.55.210.189/443 (23.55.210.189/443) (stevenwilliams)
%ASA-4-113042: Non-HTTP connection from outside:10.199.199.12/56018 to outside:23.55.210.189/443 denied by redirect filter; only HTTP connections are supported for redirection.
%ASA-6-302014: Teardown TCP connection 1341242 for outside:10.199.199.12/56018(LOCAL\stevenwilliams) to outside:23.55.210.189/443 duration 0:00:00 bytes 0 Flow closed by inspection (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341243 for outside:10.199.199.12/49512 (10.199.199.12/49512)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341244 for outside:10.199.199.12/59420 (10.199.199.12/59420)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341245 for outside:10.199.199.12/63488 (10.199.199.12/63488)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341246 for outside:10.199.199.12/51261 (10.199.199.12/51261)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341247 for outside:10.199.199.12/61446 (10.199.199.12/61446)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341248 for outside:10.199.199.12/65519 (10.199.199.12/65519)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302015: Built inbound UDP connection 1341249 for outside:10.199.199.12/63895 (10.199.199.12/63895)(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 (10.20.0.55/53) (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341243 for outside:10.199.199.12/49512(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 139 (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341244 for outside:10.199.199.12/59420(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 132 (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341245 for outside:10.199.199.12/63488(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 134 (stevenwilliams)
%ASA-6-302016: Teardown UDP connection 1341246 for outside:10.199.199.12/51261(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 140 (stevenwilliams)
%ASA-6-302013: Built outbound TCP connection 1341250 for Management:10.20.0.85/49 (10.20.0.85/49) to identity:10.20.63.74/61529 (10.20.63.74/61529)
%ASA-6-302016: Teardown UDP connection 1341247 for outside:10.199.199.12/61446(LOCAL\stevenwilliams) to INSIDE:10.20.0.55/53 duration 0:00:00 bytes 141 (stevenwilliams)
04-03-2019 09:06 AM
04-03-2019 09:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide