cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2286
Views
2
Helpful
7
Replies
Highlighted
Cisco Employee

ISE-VPN-Posture-Issue

Team,

I am working with one of the customers for ISE POC-VPN-Posture. Following is the Lab setup

1. ISE 2.0 patch 3 (Standalone)

2. Anyconnect 4.3 / 4.2 ( I have defined discovery host in posture profile)

Posture checks and remediation is working as expected on domain laptops. But we are observing following with respect to posture module.

1. When we disconnect the VPN connection, posture assessment kicks in again and does the all the posture checks and remediation.

2. When we connect to any other non-posture VPN profile (different ASA, different radius server), posture assessment kicks in and does all the posture checks and remediation. But it does not affect the connectivity even it shows non-compliant. Discovery host is reachable from all other VPN profiles and Lan network.

3. On non-domain laptops, getting no policy server found.

Could you please throw some light on this. Am I missing something?

Thanks,

Neelesh Marathe

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello Paul,

Problem seems to be resolved after configuring ISE-group in radius-accounting configuration in ASA

Thanks,

Neelesh Marathe

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

Neelesh, I've asked our AnyConnect and Posture TMEs to review this and provide a response.

Highlighted
Cisco Employee

Hello,

I need some clarification.

"1. When we disconnect the VPN connection, posture assessment kicks in again and does the all the posture checks and remediation."


Is the test machine for VPN on the 'Outside' interface security level 0  of the ASA with no access to the internal' Inside'  security level 100  unless VPN is established ?


"2. When we connect to any other non-posture VPN profile (different ASA, different radius server), posture assessment kicks in and does all the posture checks and remediation. But it does not affect the connectivity even it shows non-compliant. Discovery host is reachable from all other VPN profiles and Lan network."


You do mean Tunnel-group/Connection profile - correct ?    Can you email me the ASA configuration directly it may help clear things up.


"3. On non-domain laptops, getting no policy server found."

With the vpn established to ASA ?


Thank you

Paul

Highlighted

Hello Thomas,


Thanks..


Hello Paul,


Please find my answers


Is the test machine for VPN on the 'Outside' interface security level 0  of te ASA with no access to the internal' Inside'  security level 100  unless VPN is established ? We only have one Inside interface on ASA. Public IP address is natted to this Inside interface IP address on Checkpoint which is installed before ASA. So its a same interface scenario. Radius and other traffic comes in and goes out from same interface.


You do mean Tunnel-group/Connection profile - correct ?    Can you email me the ASA configuration directly it may help clear things up.   - Correct. I have asked customer to share running configuration. I dont have access to ASA. I am also not sure if customer will share ASA config.


With the vpn established to ASA ? Yes after VPN established.


Thanks,

Neelesh Marathe

Highlighted

Hello Paul,

Could you please provide you inputs. I have responded to your queries. I dont have ASA running config yet. Once I get I will provide it to you

Thanks,

Neelesh Marathe

Highlighted

Hello,

In my opinion I think this topology is only going to complicate troubleshooting this and without the ASA configuration it is even more difficult.   Why are they only using a single interface for VPN ?

1.) what  network is the endpoint on when establishing the vpn session   - is this the same network as ISE ?

2.)  What is the local ip pool or dhcp scope assigned to the user when the session is established ?  - Is this the same network as ISE and the same network that they established the session from ?

Please send the ASA configuration ASAP.  If they dont want to share then maybe they should open a TAC case and do a webex with them to troubleshoot this.

Best regards,

Paul

Highlighted

Hello Paul,

Problem seems to be resolved after configuring ISE-group in radius-accounting configuration in ASA

Thanks,

Neelesh Marathe

View solution in original post

Highlighted
Cisco Employee

Good to hear its resolved.

Best regards,

Paul

Content for Community-Ad