Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3451
Views
2
Helpful
7
Replies

ISE-VPN-Posture-Issue

Go to solution
Neelesh Marathe
Cisco Employee
Cisco Employee

‎06-22-2016 09:30 AM

Team,

I am working with one of the customers for ISE POC-VPN-Posture. Following is the Lab setup

1. ISE 2.0 patch 3 (Standalone)

2. Anyconnect 4.3 / 4.2 ( I have defined discovery host in posture profile)

Posture checks and remediation is working as expected on domain laptops. But we are observing following with respect to posture module.

1. When we disconnect the VPN connection, posture assessment kicks in again and does the all the posture checks and remediation.

2. When we connect to any other non-posture VPN profile (different ASA, different radius server), posture assessment kicks in and does all the posture checks and remediation. But it does not affect the connectivity even it shows non-compliant. Discovery host is reachable from all other VPN profiles and Lan network.

3. On non-domain laptops, getting no policy server found.

Could you please throw some light on this. Am I missing something?

Thanks,

Neelesh Marathe

1 Accepted Solution

Accepted Solutions

Go to solution
Neelesh Marathe
Cisco Employee
Cisco Employee
In response to pcarco

‎07-03-2016 09:14 AM

Hello Paul,

Problem seems to be resolved after configuring ISE-group in radius-accounting configuration in ASA

Thanks,

Neelesh Marathe

View solution in original post

7 Replies 7

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-23-2016 08:34 AM

Neelesh, I've asked our AnyConnect and Posture TMEs to review this and provide a response.

0 Helpful

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎06-23-2016 09:00 AM

Hello,

I need some clarification.

"1. When we disconnect the VPN connection, posture assessment kicks in again and does the all the posture checks and remediation."


Is the test machine for VPN on the 'Outside' interface security level 0  of the ASA with no access to the internal' Inside'  security level 100  unless VPN is established ?


"2. When we connect to any other non-posture VPN profile (different ASA, different radius server), posture assessment kicks in and does all the posture checks and remediation. But it does not affect the connectivity even it shows non-compliant. Discovery host is reachable from all other VPN profiles and Lan network."


You do mean Tunnel-group/Connection profile - correct ?    Can you email me the ASA configuration directly it may help clear things up.


"3. On non-domain laptops, getting no policy server found."

With the vpn established to ASA ?


Thank you

Paul

0 Helpful

Go to solution
Neelesh Marathe
Cisco Employee
Cisco Employee
In response to pcarco

‎06-23-2016 11:18 PM

Hello Thomas,


Thanks..


Hello Paul,


Please find my answers


Is the test machine for VPN on the 'Outside' interface security level 0  of te ASA with no access to the internal' Inside'  security level 100  unless VPN is established ? We only have one Inside interface on ASA. Public IP address is natted to this Inside interface IP address on Checkpoint which is installed before ASA. So its a same interface scenario. Radius and other traffic comes in and goes out from same interface.


You do mean Tunnel-group/Connection profile - correct ?    Can you email me the ASA configuration directly it may help clear things up.   - Correct. I have asked customer to share running configuration. I dont have access to ASA. I am also not sure if customer will share ASA config.


With the vpn established to ASA ? Yes after VPN established.


Thanks,

Neelesh Marathe

0 Helpful

Go to solution
Neelesh Marathe
Cisco Employee
Cisco Employee
In response to Neelesh Marathe

‎06-27-2016 02:59 AM

Hello Paul,

Could you please provide you inputs. I have responded to your queries. I dont have ASA running config yet. Once I get I will provide it to you

Thanks,

Neelesh Marathe

0 Helpful

Go to solution
pcarco
Cisco Employee
Cisco Employee
In response to Neelesh Marathe

‎06-27-2016 01:45 PM

Hello,

In my opinion I think this topology is only going to complicate troubleshooting this and without the ASA configuration it is even more difficult.   Why are they only using a single interface for VPN ?

1.) what  network is the endpoint on when establishing the vpn session   - is this the same network as ISE ?

2.)  What is the local ip pool or dhcp scope assigned to the user when the session is established ?  - Is this the same network as ISE and the same network that they established the session from ?

Please send the ASA configuration ASAP.  If they dont want to share then maybe they should open a TAC case and do a webex with them to troubleshoot this.

Best regards,

Paul

0 Helpful

Go to solution
Neelesh Marathe
Cisco Employee
Cisco Employee
In response to pcarco

‎07-03-2016 09:14 AM

Hello Paul,

Problem seems to be resolved after configuring ISE-group in radius-accounting configuration in ASA

Thanks,

Neelesh Marathe

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎07-12-2016 12:05 PM

Good to hear its resolved.

Best regards,

Paul

0 Helpful
Customers Also Viewed These Support Documents