Dear All,
-
We are using ISE version 3.1.
-
Users are accessing the internal network via wireless connectivity on WLC 9800-L version 17.9.4.
-
We have configured a posture lease (1 day), enabled LSD, and no PRA.
Here's the issue: Users are randomly transitioning from a compliant state to an unknown state. Occasionally, this occurs due to Wi-Fi problems, such as when a user is disconnected after leaving the endpoint in sleep mode, roaming or fails the 4-way handshake (which we found out from radio trace), resulting in the "no internet connection" Wi-Fi symbol. During this sate, AnyConnect continues to display a compliant state, while the ISE livelog indicates an unknown compliant state. In this state, users lose internet and internal network connectivity, except for the connection to the ISE PSN and all DNS traffic (as intended for unknown state endpoints). To rectify this on the end-user's side, we must disconnect and reconnect the Wi-Fi (sometimes restarting the endpoint), prompting the endpoint to repeat the posture scanning. I want to know why the endpoint keeps repeating the posture scanning after it got disconnected randomly since the endpoint is still within the lease duration.
This issue occurs randomly and we are unable to recreate it. We attempted to force the issue by disconnecting an already compliant endpoint from the WLC, but the endpoint doesn't transitions to an unknown state when disconnected in this manner.
Please let me know if you have any suggestions to address this issue.
Thank you.
