Re: ISE posture issues

svatnaum · ‎09-10-2025

Dears

We have DNA Fabric environment with Cisco 9800 WLC and ISE 3.2 integrated with it, endpoints Windows and MAC OS are using Anyconnect Client posture module (version 5.1.10.233) , on our network we have Quarantine subnet and Production subnets for each department, when user connects to the network it first landing on Quarantine subnet if Cisco Anyconnect posture module compliance check is successfull user should be redirected to its production subnet

Issue is that sometimes on some random endpoints it happens that posture says its compliant, but user stays in Quarantine subnet, on Windows machines we can see "Action Required" on Wireless SSID and when you press it, its redirects to the ISE client provision portal and says that user doesnt have Anyconnect client installed, however it is installed, its like ISE cannot detect that Anyconnect client is installed sometimes, on MAC OS it just stucks in Quarantine, if we restart Windows Machine or MAC OS it can connect properly, but this is a problem as we have around couple of thousand users

On Wired device this never happens, only on Wireless, we suspecting it might be related to sensitive timers on WLC or Posture agent profile timers, but we are not sure

Same happened on older version of Anyconnect client

Agent posture profile timers are similar for MAC and Windows, I've attached screenshots

Also to note, if we disable posture compliance check on our user Authorization policies, users are not experiencing such problems, its like if we enable posture compliance check it might take more time and user stucks somewhere in the process

Also, we have Palo Alto Global Protect on all endpoints, which used mostly for VPN from remote location, but at the same time it is enforcing local network policies when user is on local company network, Global protect has all required IP's whitelisted

Please let me know if you faced such and if you need any more details

ahollifield · ‎09-10-2025

This 100% sounds like a CoA failure. Do you have CoA properly configured on the WLC and on ISE? Do you see any CoA failed Live Logs? Why all of the overhead of switching VLANs at all? Why not use a dACL or SGT for pre/post posture states?

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-1-3-2.html

svatnaum · ‎09-10-2025

Hello,

We have CoA configured on ISE and WLC (screenshot attached), issue happens randomly, sometimes we can see failed live logs with "EAP timeout" and it seems it happens because we have 2 ISE nodes working active/active, we configured our NAD devices to send messages in load balance way, if one ISE gets that message it responding to the client. while second one waiting for the client reply, but it never happens so we getting this failure live logs

We tried to use dACL but we got some problems with user aaa, we have redirection ACL's working on WLC's itself

ahollifield · ‎09-11-2025

What do you mean “in a load balance way?” Using the native IOS-XE command? That’s not how that command works if so. Or do you have an external load balance in front of ISE?

What exact issues did you have with a dACL?

svatnaum · ‎09-11-2025

Yes using IOS native commands under the radius server groups, can you please let us know what do you mean under it doesnt work like that?

We had same problem with dACL

ahollifield · ‎09-11-2025

Right the WLC picks a PSN to send a single transaction to. It doesn’t send to both or round robin within the same session.

Do you have something blocking UDP/1700? Do you have any dynamic authorization failed alarms? What version of ISE? What version of IOS-XE? Is your ISE deployment properly sized? DACL in this flow is also dependent on working CoA.

svatnaum · ‎09-11-2025

Yes WLC picks a PSN, depends on request from the endpoint, I can see there is different transactions to different PSN's

We've checked 1700 its open all the way to the PSN (Firewall in the middle allowing it), no CoA alarms observed, 3.2.0.542, patch 2,7, IOS XE WLC Version 17.9.4a, ISE model is 3615, we have around ~ 4k concurrent sessions/active endpoints

Just to mention - we have Global Protect from Palo Alto working as VPN client for remote VPN, but it second function is local network policy enforcement, it auto detects if user is on LAN and allows access to the whitelisted IP, we thinking there might be a conflict between them regarding timers, cause first Global Protect need to be in "Connected" state in order to allow connections for ISE Posture, if there is any way to delay Posture scanning process it might help us

ahollifield · ‎09-11-2025

Yes the Global Protect could easily be causing this issue as well if it’s blocking Secure Client from performing posture. Why are you using both ISE and GlobalProtect? I wouldn’t try to mix both as running multiple posture agents (one which includes blocking connections) is going to be problematic. I would pick either ISE Posture or GlobalProtect posture, not both.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-1-3-2.html

https://cs.co/ise-scale

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/secure-network-server-3615-3655-3695-eol.html

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-9-x-eol.html

svatnaum · ‎09-11-2025

Thing is that GlobalProtect indeed has its own posture, but we are not using it (its called HIP), posture function done only on Cisco Anyconnect, I wonder if there any best practices regarding ISE Posture General settings timers (remediation, network transition and other timers) for the possible slowness in Wireless environment or if its possible to use timers to wait for Global Protect to be in "connected" state, same question for the settings in Agent Posture Profile timers in "IP address Change" menu (VLAN detection interval , ping or ARP, maximum timeout for ping, DHCP renew/release delay, Network Transition delay timers), might be that fixing this timers and aligning this to our "slow" Wireless environment might help

svatnaum · ‎09-12-2025

I think we are hitting https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215419-ise-session-management-and-posture.html

Same symptoms

MHM Cisco World · ‎09-11-2025

User which failed can I see log live detail of ise for it ?

MHM

svatnaum · ‎09-12-2025

Hi,

I think we are hitting https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215419-ise-session-management-and-posture.html

Same symptoms

MHM Cisco World · ‎09-12-2025

Sure Yes'

Multi PSN without sync can lead to pending posture.

I always recommend for such case by use single PSN in wlc and check.

MHM

svatnaum · ‎09-12-2025

If I will just keep both radius on WLC and remove load balancing method, I think it will send traffic to the first radius anyway? second one will work only if first radius goes down

MHM Cisco World · ‎09-12-2025

Good idea

You will get redundacy only (no load balance).

MHM