cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3686
Views
16
Helpful
10
Replies

ISE Posture failover

khanasim78
Level 1
Level 1

Hi Guys

 

I am testing posture on Anyconnect VPN clients.

The clients are across the globe and can connect to any of 3 firewalls.

PSN's are spread across the globe too.

 

firewalls are set to use PSN1 as primary and then PSN2 as secondary as radius servers.

im using the iseposturecfg file to set the policy servers using the callhomelist which lists the PSN's as PSN1 & PSN2.

 

I've had a few clients complaining about not being able to access the network .

What I've found is that for some reason or other, the client has picked PSN2 (on the connectiondata file) as its policy server.

 

So, the client wants to use PSN2 for posture but network device is using PSN1 for authentication and this makes posture checks fail.

 

has any one else come across this?

As far as I've found , posture and authentication need to be done on the same PSN

 

I would like eventually to point the firewalls to their local PSN as primary but it seems that the iseposturecfg file can only be configured in one way.

I think if the PSN's could share the user session data it would work but that isn't the case at the moment.

 

How are you guys doing this?

 

Thanks

 

AK

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Please open a TAC case to investigate. To start with, we need the AnyConnect DART bundle to verify whether AnyConnect ISE posture agent not sending the requests to the correct PSN.

View solution in original post

10 Replies 10

hslai
Cisco Employee
Cisco Employee

Please open a TAC case to investigate. To start with, we need the AnyConnect DART bundle to verify whether AnyConnect ISE posture agent not sending the requests to the correct PSN.

subrun.jamil
Level 1
Level 1

Hello, 

 

I am facing the same problem. When I do the Code Upgrade of ASA where Any Connect is Configured , I see Posture Traffic Does not come to expected ISE node. And then If I do the Manual Switch of Static FQDN Entry of ISE node from Policy->Policy Elements->Authorization->Authorization Profiles. issue got resolved. 

 

Can you share what was the solution in your case  ?

peter.matuska1
Level 1
Level 1

Hi,

I have similar problem. I have 2 PSNs and having the problem while using periodic reassessment while the PSN which did the original 802.1x and posture check is down. When time's up, the periodic reassessment ends up with No policy server detected. I know that posture on the backup PSN works. It seems to me that posture state is not synced between nodes. Is there a button to click for this to work? 

thank you

Hi @peter.matuska1 ,

 please try to collect a DART Bundle., take a look at the AnyConnect_ISEPosture.TXT to check the reason of the No Policy Server detected.

 

Hope this helps !!!

When time's up, the periodic reassessment ends up with No policy server detected. I know that posture on the backup PSN works. It seems to me that posture state is not synced between nodes. Is there a button to click for this to work? 

-As @Marcelo Morais mentioned definitely take a look into the DART bundle.  Note that you do have the ability to enable the 'Scan Again' button/feature; looks like this on the posture module ui:

scan_again.PNG

 This is configured in the ISEPostureCFG.xml.  XML tag looks like this inside profile: <EnableRescanButton>1</EnableRescanButton>

The profile on windows clients are found here: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

You can configure the profile change in ISE here: Policy->Policy Elements->Results->Client Provisioning->Resources.  Definitely test before tweaking your CPP to push out changes.  Lastly, take a peek at this as it may help too: ISE Session Management and Posture - Cisco

HTH!

It’s a terrific document. Maybe the problem can be solved by this part:

Modern Approach - Posture State Sharing

As part of implementing an enhancement, described in  CSCvi35647patch 6 for ISE 2.6 got a new feature that implements the sharing of session posture status across all the nodes in ISE deployment. This enhancement will be as well integrated into future releases: ISE 2.7 patches 2 and ISE 3.0.

 

Hi,

DART shows:

2022/01/28 19:52:11 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x3BFC File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\posture\ise\libnaccommon\target.cpp Line: 425 Level: debug POST request to URL (https://ise-lab3.domain.com:8905/auth/status), returned status -1 <Operation Failed.>.

.....

2022/01/28 19:52:11 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x18F4 File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\posture\ise\libnaccommon\target.cpp Line: 425 Level: debug POST request to URL (https://ise-lab3.domain.com:8443/auth/status), returned status 0 <Operation Success.>.
2022/01/28 19:52:11 [Error] aciseagent Function: Target::parsePostureStatusResponse Thread Id: 0x18F4 File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\posture\ise\libnaccommon\target.cpp Line: 328 Level: error Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'..

......

2022/01/28 19:52:13 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x4174 File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\posture\ise\libnaccommon\target.cpp Line: 407 Level: debug POST request to URL (https://ise-lab3.domain.com:8905/auth/ng-discovery), returned status 0 <Operation Success.>.
2022/01/28 19:52:13 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x4174 File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\posture\ise\libnaccommon\httpconnection.cpp Line: 814 Level: debug Failed to retrieve http header X-ISE-PDP-WITH-SESSION.
2022/01/28 19:52:13 [Error] aciseagent Function: Target::parsePostureStatusResponse Thread Id: 0x4174 File: c:\temp\build\thehoff\negasonic_mr10.122790236724\negasonic_mr1\posture\ise\libnaccommon\target.cpp Line: 328 Level: error Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'..

 

and this operation failed and success is repeating until the warning no policy server detected is shown.

thank you

Hi @peter.matuska1 ,

 it doesn't looks like the AnyConnect_ISEPosture.TXT file to me, am I right?

 

Regards

I double checked and it is.

Hi @peter.matuska1 ,

 OK, please:

1st try to find the Probing no MNT stage targets (#, this is an indication of the Stage 1 Discovery Stage, check all the Auth-Status target.

2nd next try to find the MSG_NS_SWISS_NEW_SESSION this line contains the Session ID that has been selected by the PSN.

3rd next try to find the Downloading ISE Posture Profile this is the Status Message that you are able to see on you AnyConnect Module.

If you are able to find these, double check the next lines.

if not, please share the point that you are unable to find. 

Note: about the <Operation Failed> that you described on your last post, before this line are you able to find an: Unable to send request? If yes, could you please share the line?

 

Hope this helps !!!