Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9661
Views
0
Helpful
13
Replies

ISE shows Posture Not Applicable but on Anyconnect it shows compliant

Go to solution
CCertified85
Level 1
Level 1

‎02-05-2019 10:06 AM

Hello All,

 

I am facing a weird issue, following are the details

 

  • I have ISE version 2.3 Patch 3 with Anyconnect 4.5.530 with 4.3.215 Compliance Module
  • Majority of users posture is working fine and in ISE logs it shows compliant 
  • Some users posture showing Not applicable in ISE Logs but it shows compliant on Anyconnect
  • I am using redirection less posture discovery , means i am configuring Call Home List in Posture configuration file with port # 8443
  • I tried to compare the ConnectionData.xml file with users whose posture is being reported correctly but still issue persists
  • All ports like 8905, 8909 and 8443 is allowed on firewall between ISE and end users
  • Issue is happening on both wired and wireless 
  • Tried to open TAC Cases but still no resolution 
2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Serhii Kucherenko
Cisco Employee
Cisco Employee
In response to tommy182

‎02-17-2019 01:34 PM

Hi Tom.

 

What you've mentioned here is actually inline with what I've noticed in one of the customer's cases recently. I don't think that this is the same case which has been mentioned here since ISE and AnyConnect versions are different, But

 

What I saw is that specific switch platform can send Interim accounting messages triggered by the device sensor to the PSN which didn't perform authentication for the user. 

 

When this message is generated PSN which did an authentication is up and marked as alive on the switch.

 

Could you please let me know on which platform/software you observed this problem?

 

Also couple words about difference between the Phantom and Stale sessions. Those terms are not defined anywhere so for last Cisco Live I used following explanation:

 

Stale Session – Session for which initial authentication and Accounting Start landed on one PSN but accounting stop due to any reasons hit another PSN (for example expiration of stickiness timer on load balancer)


Phantom Session – the session which has been created in PSN cache based on accounting packet only (this could be part of scenario when PSN is marked as dead and there are some long living active sessions on the NAD for which interim accounting messages are generated)

 

Third scenario in second part of this breakout explains how to troubleshoot Stale/Phantom sessions:

 

https://ciscolive.cisco.com/on-demand-library/?search.event=ciscoliveemea2019&search=ISE#/session/1532118981651001vGwm

 

Regards,

 

Serhii

 

View solution in original post

0 Helpful
13 Replies 13

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-05-2019 08:52 PM

Is it happening for specific endpoints all the time, if so have you looked at the AC DART bundle to see if the AC posture module made successful contact with ISE? Could be a defect if AC is able to reach ISE and still reports as compliant. Please continue working with TAC to determine the root cause.

0 Helpful

Go to solution
CCertified85
Level 1
Level 1
In response to howon

‎02-07-2019 06:40 AM

Yes i checked Posture module could resolve and reach ISE server

It is happening all the time when i enable posture

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to CCertified85

‎02-16-2019 09:29 AM

Please provide TAC case info so we may review.

You might want to try the posture rescan feature available in ISE 2.4 and AnyConnect 4.6 ISE Posture Module.

0 Helpful

Go to solution
hiepnguyen991
Level 1
Level 1
In response to howon

‎03-06-2019 01:54 AM

Hello everyone,

Do you have resolved this issue, i have same the issue:

"I need config AnyConnect profile to AnyConnect agent can connect psn1 first, if psn1 fail then connect to psn2 because i have got issue: when PC connect, firstly swicth connect to psn1 to authenticate after authentication successful anyconnect connect to psn2 (not psn1) to posture so that CoA from psn2 to switch not correctly"

 

Can everyone help me config properly Anyconnect profile:

Discovery host: psn1 or psn2 or both?

- Server name rules: psn1 or psn2 or both?

- Call Home List: psn1 or psn2 or both?

 

Preview file
120 KB
0 Helpful

Go to solution
tommy182
Level 1
Level 1

‎02-17-2019 12:17 PM

Hi,

 

Do you use device-sensor functional on the switch?

I noticed that switch sometimes sends accounting data(that contains a new info from device-sensor perspective) not only to server that owns that session, but to another one.

It creates stale or phantom sessions on this another server, and for some reason it cause wrong server be chooses by AnyConnect ISEPosture module.

In the end all Radius Auth\Authz happened on one PSN and Posture may happened on second PSN.

Actual CoA(after Posture status changed to Compliant) sends by this second PSN to the switch, but subsequent Radius Auth\Authz happened on first PSN who doesn`t known about Posture status.

 

I'm not sure where is the real problem, is it device-sensor bug or is it ISE cannot point right PSN for Posture treatment.

But for me the real workaround was to disable device-sensor functional on the NAD.

 

Regards,

Tom

0 Helpful

Go to solution
CCertified85
Level 1
Level 1
In response to tommy182

‎02-17-2019 01:20 PM

Hi,

@tommy182 @howon

 

I dont have Device Sensor enabled on switches

Also i discovered the same issue that posture happening on another PSN and authentication on another.

Its difficult to upgrade to 2.4 and rollout 250 + users to 4.6 :(

This is the case @hslai 686020241

0 Helpful

Go to solution
Serhii Kucherenko
Cisco Employee
Cisco Employee
In response to CCertified85

‎02-17-2019 01:53 PM

Case owner is member of my team. I will review what we have so far together with him tomorrow.
0 Helpful

Go to solution
Serhii Kucherenko
Cisco Employee
Cisco Employee
In response to tommy182

‎02-17-2019 01:34 PM

Hi Tom.

 

What you've mentioned here is actually inline with what I've noticed in one of the customer's cases recently. I don't think that this is the same case which has been mentioned here since ISE and AnyConnect versions are different, But

 

What I saw is that specific switch platform can send Interim accounting messages triggered by the device sensor to the PSN which didn't perform authentication for the user. 

 

When this message is generated PSN which did an authentication is up and marked as alive on the switch.

 

Could you please let me know on which platform/software you observed this problem?

 

Also couple words about difference between the Phantom and Stale sessions. Those terms are not defined anywhere so for last Cisco Live I used following explanation:

 

Stale Session – Session for which initial authentication and Accounting Start landed on one PSN but accounting stop due to any reasons hit another PSN (for example expiration of stickiness timer on load balancer)


Phantom Session – the session which has been created in PSN cache based on accounting packet only (this could be part of scenario when PSN is marked as dead and there are some long living active sessions on the NAD for which interim accounting messages are generated)

 

Third scenario in second part of this breakout explains how to troubleshoot Stale/Phantom sessions:

 

https://ciscolive.cisco.com/on-demand-library/?search.event=ciscoliveemea2019&search=ISE#/session/1532118981651001vGwm

 

Regards,

 

Serhii

 

0 Helpful

Go to solution
CCertified85
Level 1
Level 1
In response to Serhii Kucherenko

‎02-17-2019 02:21 PM

Hi Serhii,

I discovered one more issue

 

1. I have 7 PC(s) and they are connected to LAN and its posture showing Not Applicable in ISE , the moment i disconnect them from LAN and they switch to Wifi , it start showing Compliant in ISE

 

2. Vice versa there is a PC which is connected to wifi and shows not applicable and if i switch to LAN posture shows compliant in ISE

 

The most strange part is that when i enabled Extended Logging only LAN Adapter is showing in NAM Logs folder , i believe both LAN and Wifi Adapter should be displayed (This i checked on PC connected on Wifi )

 

0 Helpful

Go to solution
CCertified85
Level 1
Level 1
In response to CCertified85

‎02-17-2019 02:27 PM

I forgot to mention "only PCAP  of LAN adapter showing"

0 Helpful

Go to solution
dlutin001
Level 1
Level 1

‎07-09-2019 02:24 AM

Hi, any updates on this problem?
We think that we are suffering from the same defect after we moved to redirection less posture process.
It's quite annoying.
0 Helpful

Go to solution
tminh
Cisco Employee
Cisco Employee

‎07-31-2019 06:46 PM

Hi all,

 

We have the same problem with ISE 2.4 too.

The posture assessment report to PSN is NOT stable. Some time it is the same in PC and ISE, other time, it is NOT. AnyConnect "says" compliance", ISE says "not applicable".

In case the root cause is about AuthC happen with one PSN, but Posture Assessment reported to an another PSN, What we need to do to avoid this un desired situation?

 

Thanks for quick advice,

Minh

 

0 Helpful

Go to solution
tommy182
Level 1
Level 1
In response to tminh

‎08-15-2019 12:42 AM

Hi!

 

You need to use Posture Assessment with URL-redirect(it can help you to point Posture to the same PSN who treat Auth\Authz).

Also if you enable radius load-balancing on the switch then disable it, it is most annoying feature that simple doesn`t work as it should work.

0 Helpful
Customers Also Viewed These Support Documents