if i manually install anyconnect module posture and iseposture manully and add the xml profile with discovery host 172.16.1.110, it can work. PC can dynamic download anyconnect compliance module, but is not a intelligence way.

and why need to change to anther discovery host address？ i mean, the discovery host is not the posture server ?

Hi,

The discovery host should be any IP that's inside the tunnel that can trigger the redirect to ISE.
It's not recommended to be ISE. Give it a go like I suggested.

Thanks,

Octavian

i change the discovery host to 172.16.1.241, and enable ip http server on R1, same issue.

However, when i change the remedia timer to 20min. But on VPN Client also use 4min. what's that problem?

Hi,

I don't see anything wrong in your second set of pictures. I assume that after you download the client you get the same error.

Have you checked this tutorial?

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

I noticed that your redirect URL is quite simple, with not exceptions. This may be the issue, even though the default deny (no redirect) should allow any other traffic (including ISE).

One more thing, beware of NAT config. Make sure your NAT config except VPN to Internal from any PAT.

If I were you, I'd check these:

- DNS (maybe the client can't resolve ISE FQDN at some point)

- split tunnel vs full tunnel (I'd test with full tunnel just to make sure all traffic is diverted towards ASA)

- identity NAT for pool to internal and PAT for internet (for some reason the redirect may not work sometimes because of NAT; something to do with NAT order of operations)

- newer version of ISE/AC? (last time I've used directly the callhome option in the AC xml posture profile and it worked like a charm)

One more thing, based on your ISE version, this may help you to understand how things work and possibly what's wrong in your case:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Regards,

Octavian

Thanks, no nat has configured, and DNS working correctly. i have test with ise 2.1,2.2,2.4, same issue encoutered.

additionally,I have test another way that configure posture, on ASA added the following command,

ON ASA

group-policy Group_SSL attribute

 webvpn

  anyconnect modules posture,iseposture

With the upon command, and create ise posture profile use ASDM. By this way, the test PC can normally download anyconnect posture module and ise posture module, and with the ise posture profile, test pc can dynamic download anyconnect compliance from ise, and working correctlly.

however, this is not intelligence enough.

i have test this scene for several days. maybe some key command or setting been ignored.

Hi,

Why is it troublesome to do it this way? This is how I did it and I see no issue with it.

I remember having some issues with the fact that the same profile would have to be configured/synced both on ISE and ASA, but I guess this would be a false issue because normally, one you're done with the config you're not changing it on a daily basis. You just place the same profile both on ISE and ASA and done. In case you'd need to update anyconnect, you'd place the newer version on ASA and it will be updated for sure.

Regards,

Octavian

i have test anyconnect 4.2,4.3,4.5, with asav943 and asav981, same issue. So, i came here for help