cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9663
Views
0
Helpful
13
Replies

ISE shows Posture Not Applicable but on Anyconnect it shows compliant

CCertified85
Level 1
Level 1

Hello All,

 

I am facing a weird issue, following are the details

 

  • I have ISE version 2.3 Patch 3 with Anyconnect 4.5.530 with 4.3.215 Compliance Module
  • Majority of users posture is working fine and in ISE logs it shows compliant 
  • Some users posture showing Not applicable in ISE Logs but it shows compliant on Anyconnect
  • I am using redirection less posture discovery , means i am configuring Call Home List in Posture configuration file with port # 8443
  • I tried to compare the ConnectionData.xml file with users whose posture is being reported correctly but still issue persists
  • All ports like 8905, 8909 and 8443 is allowed on firewall between ISE and end users
  • Issue is happening on both wired and wireless 
  • Tried to open TAC Cases but still no resolution 
1 Accepted Solution

Accepted Solutions

Hi Tom.

 

What you've mentioned here is actually inline with what I've noticed in one of the customer's cases recently. I don't think that this is the same case which has been mentioned here since ISE and AnyConnect versions are different, But

 

What I saw is that specific switch platform can send Interim accounting messages triggered by the device sensor to the PSN which didn't perform authentication for the user. 

 

When this message is generated PSN which did an authentication is up and marked as alive on the switch.

 

Could you please let me know on which platform/software you observed this problem?

 

Also couple words about difference between the Phantom and Stale sessions. Those terms are not defined anywhere so for last Cisco Live I used following explanation:

 

Stale Session – Session for which initial authentication and Accounting Start landed on one PSN but accounting stop due to any reasons hit another PSN (for example expiration of stickiness timer on load balancer)


Phantom Session – the session which has been created in PSN cache based on accounting packet only (this could be part of scenario when PSN is marked as dead and there are some long living active sessions on the NAD for which interim accounting messages are generated)

 

Third scenario in second part of this breakout explains how to troubleshoot Stale/Phantom sessions:

 

https://ciscolive.cisco.com/on-demand-library/?search.event=ciscoliveemea2019&search=ISE#/session/1532118981651001vGwm

 

Regards,

 

Serhii

 

View solution in original post

13 Replies 13

howon
Cisco Employee
Cisco Employee

Is it happening for specific endpoints all the time, if so have you looked at the AC DART bundle to see if the AC posture module made successful contact with ISE? Could be a defect if AC is able to reach ISE and still reports as compliant. Please continue working with TAC to determine the root cause.

Yes i checked Posture module could resolve and reach ISE server

It is happening all the time when i enable posture

Please provide TAC case info so we may review.

You might want to try the posture rescan feature available in ISE 2.4 and AnyConnect 4.6 ISE Posture Module.

Hello everyone,

Do you have resolved this issue, i have same the issue:

"I need config AnyConnect profile to AnyConnect agent can connect psn1 first, if psn1 fail then connect to psn2 because i have got issue: when PC connect, firstly swicth connect to psn1 to authenticate after authentication successful anyconnect connect to psn2 (not psn1) to posture so that CoA from psn2 to switch not correctly"

 

Can everyone help me config properly Anyconnect profile:

Discovery host: psn1 or psn2 or both?

- Server name rules: psn1 or psn2 or both?

- Call Home List: psn1 or psn2 or both?

 

tommy182
Level 1
Level 1

Hi,

 

Do you use device-sensor functional on the switch?

I noticed that switch sometimes sends accounting data(that contains a new info from device-sensor perspective) not only to server that owns that session, but to another one.

It creates stale or phantom sessions on this another server, and for some reason it cause wrong server be chooses by AnyConnect ISEPosture module.

In the end all Radius Auth\Authz happened on one PSN and Posture may happened on second PSN.

Actual CoA(after Posture status changed to Compliant) sends by this second PSN to the switch, but subsequent Radius Auth\Authz happened on first PSN who doesn`t known about Posture status.

 

I'm not sure where is the real problem, is it device-sensor bug or is it ISE cannot point right PSN for Posture treatment.

But for me the real workaround was to disable device-sensor functional on the NAD.

 

Regards,

Tom

Hi,

@tommy182 @howon

 

I dont have Device Sensor enabled on switches

Also i discovered the same issue that posture happening on another PSN and authentication on another.

Its difficult to upgrade to 2.4 and rollout 250 + users to 4.6 :(

This is the case @hslai 686020241

Case owner is member of my team. I will review what we have so far together with him tomorrow.

Hi Tom.

 

What you've mentioned here is actually inline with what I've noticed in one of the customer's cases recently. I don't think that this is the same case which has been mentioned here since ISE and AnyConnect versions are different, But

 

What I saw is that specific switch platform can send Interim accounting messages triggered by the device sensor to the PSN which didn't perform authentication for the user. 

 

When this message is generated PSN which did an authentication is up and marked as alive on the switch.

 

Could you please let me know on which platform/software you observed this problem?

 

Also couple words about difference between the Phantom and Stale sessions. Those terms are not defined anywhere so for last Cisco Live I used following explanation:

 

Stale Session – Session for which initial authentication and Accounting Start landed on one PSN but accounting stop due to any reasons hit another PSN (for example expiration of stickiness timer on load balancer)


Phantom Session – the session which has been created in PSN cache based on accounting packet only (this could be part of scenario when PSN is marked as dead and there are some long living active sessions on the NAD for which interim accounting messages are generated)

 

Third scenario in second part of this breakout explains how to troubleshoot Stale/Phantom sessions:

 

https://ciscolive.cisco.com/on-demand-library/?search.event=ciscoliveemea2019&search=ISE#/session/1532118981651001vGwm

 

Regards,

 

Serhii

 

Hi Serhii,

I discovered one more issue

 

1. I have 7 PC(s) and they are connected to LAN and its posture showing Not Applicable in ISE , the moment i disconnect them from LAN and they switch to Wifi , it start showing Compliant in ISE

 

2. Vice versa there is a PC which is connected to wifi and shows not applicable and if i switch to LAN posture shows compliant in ISE

 

The most strange part is that when i enabled Extended Logging only LAN Adapter is showing in NAM Logs folder , i believe both LAN and Wifi Adapter should be displayed (This i checked on PC connected on Wifi )

 

I forgot to mention "only PCAP  of LAN adapter showing"

dlutin001
Level 1
Level 1
Hi, any updates on this problem?
We think that we are suffering from the same defect after we moved to redirection less posture process.
It's quite annoying.

tminh
Cisco Employee
Cisco Employee

Hi all,

 

We have the same problem with ISE 2.4 too.

The posture assessment report to PSN is NOT stable. Some time it is the same in PC and ISE, other time, it is NOT. AnyConnect "says" compliance", ISE says "not applicable".

In case the root cause is about AuthC happen with one PSN, but Posture Assessment reported to an another PSN, What we need to do to avoid this un desired situation?

 

Thanks for quick advice,

Minh

 

Hi!

 

You need to use Posture Assessment with URL-redirect(it can help you to point Posture to the same PSN who treat Auth\Authz).

Also if you enable radius load-balancing on the switch then disable it, it is most annoying feature that simple doesn`t work as it should work.