Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2188
Views
1
Helpful
2
Replies

ISE Posture - Discovery host does not accept multiple IP addresses.

Nikhil Jadhav
Level 1
Level 1

‎12-19-2019 08:01 AM

Hello ISE experts,

 

I am trying to create an Anyconnect Posture Agent profile, where I am trying to give multiple IP addresses for Discovery host.

But after trying to save this profile, ISE fails to accept/save this profile.

Is it possible to enter multiple IP address in Discovery hosts as we have 3 datacenters, PSN is spread across 3 datacenters and hence we have this requirement.

I kindly request you all to please let me know if anyone has come around this scenario or has some solution.

 

 

Regards,

Nikhil

 

 

0 Helpful
2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

‎12-19-2019 09:07 AM

The discovery host option is not meant to put PSN IP addresses.  It is meant to put ANY IP address that resides somewhere beyond the default gateway of the client.  So you could even use an Internet address.  The whole point is to have the client send packets out beyond the default gateway to trigger redirection from the switch or WLC the client is connected to.

There is another field in the profile where you can list the PSN's that the client should try to connect to.  That field is called the "Call Home List" and you can list all of your PSN's there.

JohnNewman7082
Level 1
Level 1

‎12-19-2019 11:28 AM

As Colby mentioned, do not put a PSN in the Discovery Host field.

 

AnyConnect uses a process to "discover" the hosting PSN to trigger posture to start.

Discovery host is the first method tried before falling back to other methods such as default gateway, cisco.com, and previously connected devices.

 

If you have multiple PSNs in your environment and failover configured, discovery host pointed to a PSN may do more damage than good.  PSNs do not share session data for current authentications.  So, if you authenticate against PSN2, but your host is set as PSN1, PSN1 will have no idea of the session and will ultimately give a 500 error.

 

As Colby mentioned, point the DH to something beyond your gateway.  I typically like to tell users to point the IP to something routable in the network, but in your redirect ACL, explicitly redirect that exact IP.

 

For example: set your discovery host to 10.10.10.10

Your redirect ACL on your switch looks liek:

ip access-list extended redirect
deny ip any host <ISE ip address>
permit TCP any any eq www
permit TCP any any eq 443
permit TCP any host 10.10.10.10
permit ip any any
0 Helpful
Customers Also Viewed These Support Documents