
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2017 07:50 PM
Hi Team,
Wants to know the location for connectiondata.xml file to check for connected PSN for posture. In my case customer is only able to connect to one PSN from ASA if I change to someother PSN in deployment. It doesn't find the server. Looks like it always search for previously connected PSN.
The file gets created after successful posture completion. I believe, if I delete or edit the file, it will start connected to the respective PSN afterwards.
Regards
Gagan
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2017 06:07 AM
This file is not intended to be edited directly but updated only after successful redirection. Be sure URL redirection is properly configured to redirect endpoint to current PSN (based on the URL redirect returned by PSN). For VPN, it may be necessary to configure the Discovery Host (DH) with an IP which is reachable and is beyond the point of redirection (typically the ASA itself for ISE versions 2.0+) or IPN node for versions before ISE 2.0 and older ASA code. In ISE 2.2 with AC 4.4 we introduced capability to establish a Call Home list which complements DH and ConnectionData.xml components to support discovery even if no intermediate network device capable of URL redirection.
Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2017 06:07 AM
This file is not intended to be edited directly but updated only after successful redirection. Be sure URL redirection is properly configured to redirect endpoint to current PSN (based on the URL redirect returned by PSN). For VPN, it may be necessary to configure the Discovery Host (DH) with an IP which is reachable and is beyond the point of redirection (typically the ASA itself for ISE versions 2.0+) or IPN node for versions before ISE 2.0 and older ASA code. In ISE 2.2 with AC 4.4 we introduced capability to establish a Call Home list which complements DH and ConnectionData.xml components to support discovery even if no intermediate network device capable of URL redirection.
Craig

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2017 09:16 AM
Hi Chyps,
In my scenario, Discovery host as blank in ASA and ISE. Now the Discovery host will be selected on the basis of redirection from the PSN. However, it fails with one PSN server and always pass with another server.
That's why I thought of checking the connectiondata.xml. The machine might be taking previously connected PSN IP.
What all things needs to check for the same.
Regards
Gagan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2017 10:06 AM
Recommend populating DH to ensure it takes effect. There are cases where default discovery to Default Gateway will not work over VPN. DH is not selected by PSN. And note that DH is NOT the IP address of PSN. Yes, once there is a successful connection to a PSN, it will be populated into the ConnectionData file. Alternative is to deploy ISE 2.2 with AC 4.4.
Craig

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2017 07:42 AM
Just to add to Craig's very good guidance...
Previously connected headend record: ConnectionData.xml
Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\
MacOSX: /Users/'username'/.cisco/iseposture/log
Paul
