Solved: Re: ISE PSN reboot impact especially for posture check

Difan_Zhao · ‎11-22-2021

Hi experts,

I probably should do more reading myself but I need to get this done quickly so appreciate any direct answers.

I need to reboot the PSN nodes as per the TAC for some certificate/portal page problem and I have never done that before so I want to know the impact level.

The two nodes are behind the load-balancer so I can easily turn off one while rebooting it so the one that's up will remain working. The impact should be limited. I assume that the endpoint data are shared so re-authentication for VPN or WiFi users on another node should continue to work, correct?

My concern is with the Posture check. First of all, how do I know to which PSN node the redirection is for? Here is the AV pair configured under the authorization profile. Where does it get the IP and Port from?

cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=27b1bc30-2e58-11e9-98fb-0050568775a3&action=cpp

I think the policy requires periodic posture checks. How does that work? Is it initiated by the PSN node or by the Anyconnect app? If the PSN node is in the reboot, does it cause the VPN user to be disconnected, or will it just keep trying while maintaining the connectivity?

Thanks!

Difan

Mike.Cifelli · ‎11-23-2021

I am going to provide some information that hopefully will assist you and hit on most of your questions.

I assume that the endpoint data are shared so re-authentication for VPN or WiFi users on another node should continue to work, correct?

-If the PSNs are in a node group, yes correct. Not sure what version of ISE you are running, but beware of this as this crippled me at one point way back in the day:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj47301

Lastly, take a peek at this as it should help cover items I may miss: ISE Session Management and Posture - Cisco

My concern is with the Posture check. First of all, how do I know to which PSN node the redirection is for? Here is the AV pair configured under the authorization profile. Where does it get the IP and Port from?

-Just so you know you have the ability to hard set a static host used in the authz profile. If you navigate to Work Centers->Posture->Client Provisioning->Client Provisioning Portal you can view which physical interfaces for PSNs are allowed via the portal config. As far as seeing the configuration that is deployed in your posture configuration profile you can view it 2 ways: within ISE: Policy->Policy Elements->Results->Client Provisioning->Resources: Find the anyconnect profile that gets assigned to the active CPP. The other way is via a client that is already provisioned: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\ISEPostureCFG.xml. Keep an eye out for call home list (should list your PSNs).

Call Home List: Comma separated list of FQDNs and port numbers (FQDN and port number separated by colon). The port number is whatever port is configured for the client provisioning portal. The default port number is TCP/8443 if it is not specified in the list. The PSNs are accessed in the order in which they are presented in the list.

This explains it perfectly and more in depth: AnyConnect ISE posture module discovery host and call home list – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

I think the policy requires periodic posture checks. How does that work? Is it initiated by the PSN node or by the Anyconnect app? If the PSN node is in the reboot, does it cause the VPN user to be disconnected, or will it just keep trying while maintaining the connectivity?

-AFAIK after the PSN reboot, already authenticated clients with an active session will not be disconnected. Check your interim accounting update config to see what that is configured for/as. Also, if you have enabled the "scan again" button in ISEPostureCFG.xml then users will have the ability to trigger the probe again manually via user interaction. This button appears in the AnyConnect ISE Posture module. Also, note that if a user disconnects, a DFG change occurs, then this will trigger the probe to "phone home" and go through the discovery process again.

View solution in original post

Mike.Cifelli · ‎11-23-2021

I am going to provide some information that hopefully will assist you and hit on most of your questions.

I assume that the endpoint data are shared so re-authentication for VPN or WiFi users on another node should continue to work, correct?

-If the PSNs are in a node group, yes correct. Not sure what version of ISE you are running, but beware of this as this crippled me at one point way back in the day:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj47301

Lastly, take a peek at this as it should help cover items I may miss: ISE Session Management and Posture - Cisco

My concern is with the Posture check. First of all, how do I know to which PSN node the redirection is for? Here is the AV pair configured under the authorization profile. Where does it get the IP and Port from?

-Just so you know you have the ability to hard set a static host used in the authz profile. If you navigate to Work Centers->Posture->Client Provisioning->Client Provisioning Portal you can view which physical interfaces for PSNs are allowed via the portal config. As far as seeing the configuration that is deployed in your posture configuration profile you can view it 2 ways: within ISE: Policy->Policy Elements->Results->Client Provisioning->Resources: Find the anyconnect profile that gets assigned to the active CPP. The other way is via a client that is already provisioned: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\ISEPostureCFG.xml. Keep an eye out for call home list (should list your PSNs).

Call Home List: Comma separated list of FQDNs and port numbers (FQDN and port number separated by colon). The port number is whatever port is configured for the client provisioning portal. The default port number is TCP/8443 if it is not specified in the list. The PSNs are accessed in the order in which they are presented in the list.

This explains it perfectly and more in depth: AnyConnect ISE posture module discovery host and call home list – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

I think the policy requires periodic posture checks. How does that work? Is it initiated by the PSN node or by the Anyconnect app? If the PSN node is in the reboot, does it cause the VPN user to be disconnected, or will it just keep trying while maintaining the connectivity?

-AFAIK after the PSN reboot, already authenticated clients with an active session will not be disconnected. Check your interim accounting update config to see what that is configured for/as. Also, if you have enabled the "scan again" button in ISEPostureCFG.xml then users will have the ability to trigger the probe again manually via user interaction. This button appears in the AnyConnect ISE Posture module. Also, note that if a user disconnects, a DFG change occurs, then this will trigger the probe to "phone home" and go through the discovery process again.

Difan_Zhao · ‎11-27-2021

Thank you Mike for the detailed explanation! Sorry for the late response on this...

I don't see any Client Provisioning Portal configured/listed... That is weird, isn't it? But it is empty on my ISE config...

My Call Home List is also empty... Does it mean that the ASA would automatically redirect to the server that deals with the authentication? Is there a command on the ASA to find where the redirection goes..? I think this is the one that puzzles me the most - I still can't figure out which PSN will be the one for the posture check...

Regarding the Interim accounting, I found the setting and it is set for periodic updates every 12 hours

aaa-server ISE_PRD protocol radius
interim-accounting-update periodic 12
dynamic-authorization

Mohammed al Baqari · ‎11-29-2021

Hi,

+5 to Mike. Just a quick note from my side. From your client, if you go to
settings > system scan > statistics, look for connection information and
see what FQDN is used for policy servers. If it's your load balancer VIP
then you are good to go.

This can be found as well from the windows path listed by Mike
(C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE
Posture\ISEPostureCFG.xml). See what is the policy server listed there. If
its load balancer, it should be good to go.

***** please remember to rate useful posts