Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2565
Views
8
Helpful
4
Replies

Looking for Connectiondata.xml for posture in MAC OSx machine

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎05-14-2017 07:50 PM

Hi Team,

Wants to know the location for connectiondata.xml file to check for connected PSN for posture. In my case customer is only able to connect to one PSN from ASA if I change to someother PSN in deployment. It doesn't find the server. Looks like it always search for previously connected PSN.

The file gets created after successful posture completion. I believe, if I delete or edit the file, it will start connected to the respective PSN afterwards.

Regards

Gagan

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎05-15-2017 06:07 AM

This file is not intended to be edited directly but updated only after successful redirection.  Be sure URL redirection is properly configured to redirect endpoint to current PSN (based on the URL redirect returned by PSN).  For VPN, it may be necessary to configure the Discovery Host (DH) with an IP which is reachable and is beyond the point of redirection (typically the ASA itself for ISE versions 2.0+) or IPN node for versions before ISE 2.0 and older ASA code.  In ISE 2.2 with AC 4.4 we introduced capability to establish a Call Home list which complements DH and ConnectionData.xml components to support discovery even if no intermediate network device capable of URL redirection.

Craig

View solution in original post

4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎05-15-2017 06:07 AM

This file is not intended to be edited directly but updated only after successful redirection.  Be sure URL redirection is properly configured to redirect endpoint to current PSN (based on the URL redirect returned by PSN).  For VPN, it may be necessary to configure the Discovery Host (DH) with an IP which is reachable and is beyond the point of redirection (typically the ASA itself for ISE versions 2.0+) or IPN node for versions before ISE 2.0 and older ASA code.  In ISE 2.2 with AC 4.4 we introduced capability to establish a Call Home list which complements DH and ConnectionData.xml components to support discovery even if no intermediate network device capable of URL redirection.

Craig

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎05-15-2017 09:16 AM

Hi Chyps,

In my scenario, Discovery host as blank in ASA and ISE.  Now the Discovery host will be selected on the basis of redirection from the PSN. However, it fails with one PSN server and always pass with another server.

That's why I thought of checking the connectiondata.xml. The machine might be taking previously connected PSN IP.

What all things needs to check for the same.

Regards

Gagan

Go to solution
Craig Hyps
Level 10
Level 10
In response to Gagandeep Singh

‎05-15-2017 10:06 AM

Recommend populating DH to ensure it takes effect.  There are cases where default discovery to Default Gateway will not work over VPN.   DH is not selected by PSN.  And note that DH is NOT the IP address of PSN.  Yes, once there is a successful connection to a PSN, it will be populated into the ConnectionData file.  Alternative is to deploy ISE 2.2 with AC 4.4.

Craig

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎05-15-2017 07:42 AM

Just to add to Craig's very good guidance...

Previously connected headend record: ConnectionData.xml

Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\

MacOSX: /Users/'username'/.cisco/iseposture/log

Paul

Customers Also Viewed These Support Documents