Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
874
Views
0
Helpful
3
Replies

ISE posture checks over AnyConnect VPN failing

Go to solution
tiryan
Cisco Employee
Cisco Employee

‎01-29-2018 01:59 PM

Some Windows devices fail to connect to a PSN to complete a posture check After it connects to ASA via AnyConnect.

Device, Anyconnect, ASA and ISE versions are fine based on the lastest Compatibility Guides.

AnyConnect 4.5.02033 and ISE 4.2.1226.0

Do we have some known caveates or known Client PC settings that could STOP the Posture check sequence from occurring?

Do we have any step by step troubleshooting guides for posture checking flows.

TAC case is open but no progress so far.

Thank you,

Tim Ryan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎01-29-2018 03:49 PM

Please clarify if issue is with discovery, or with post discovery where AC is in redirected, posture assessment process.

If discovery, then for ISE 2.2, you can seed device with a discovery host that points to actual PSN.  Prior to ISE 2.2, the DH should NOT be PSN, but a target that will get intercepted by ASA and redirected to PSN.

Troubleshooting can be accomplished by AC logs (DART bundle) and via ISE debug logging for posture log. 

/Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎01-29-2018 03:49 PM

Please clarify if issue is with discovery, or with post discovery where AC is in redirected, posture assessment process.

If discovery, then for ISE 2.2, you can seed device with a discovery host that points to actual PSN.  Prior to ISE 2.2, the DH should NOT be PSN, but a target that will get intercepted by ASA and redirected to PSN.

Troubleshooting can be accomplished by AC logs (DART bundle) and via ISE debug logging for posture log. 

/Craig

0 Helpful

Go to solution
paul
Level 10
Level 10

‎01-29-2018 03:50 PM

What method are you using to ensure posture discovery works?  I use port 80 to the default gateway usually.  In the case of VPN I just make sure my redirect list is redirecting port 80 to the VPN IP pool.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to paul

‎01-29-2018 03:55 PM

Also one of the reasons it may work for some and not others is because one of the posture discovery steps is trying to connect to the previous PSN you submitted posture to.  So if they postures correctly on wired or wireless they may work just fine on VPN leading you to believe you have posture discovery setup correctly on VPN when in reality you don’t for clients that have never postured before.

0 Helpful
Customers Also Viewed These Support Documents