Dears

We have DNA Fabric environment with Cisco 9800 WLC and ISE 3.2 integrated with it, endpoints Windows and MAC OS are using Anyconnect Client posture module (version 5.1.10.233) , on our network we have Quarantine subnet and Production subnets for each department, when user connects to the network it first landing on Quarantine subnet if Cisco Anyconnect posture module compliance check is successfull user should be redirected to its production subnet

Issue is that sometimes on some random endpoints it happens that posture says its compliant, but user stays in Quarantine subnet, on Windows machines we can see "Action Required" on Wireless SSID and when you press it, its redirects to the ISE client provision portal and says that user doesnt have Anyconnect client installed, however it is installed, its like ISE cannot detect that Anyconnect client is installed sometimes, on MAC OS it just stucks in Quarantine, if we restart Windows Machine or MAC OS it can connect properly, but this is a problem as we have around couple of thousand users

On Wired device this never happens, only on Wireless, we suspecting it might be related to sensitive timers on WLC or Posture agent profile timers, but we are not sure

Same happened on older version of Anyconnect client

Agent posture profile timers are similar for MAC and Windows, I've attached screenshots

Also to note, if we disable posture compliance check on our user Authorization policies, users are not experiencing such problems, its like if we enable posture compliance check it might take more time and user stucks somewhere in the process

Also, we have Palo Alto Global Protect on all endpoints, which used mostly for VPN from remote location, but at the same time it is enforcing local network policies when user is on local company network, Global protect has all required IP's whitelisted

Please let me know if you faced such and if you need any more details