05-04-2018 12:27 AM
Hello Community,
Running with ISE 2.1 with patch 5 and Any Connect 4.5
We are facing some issue on the random endpoints with No Policy Server Detected message in Any Connect and on ISE Live logs its showing Posture Unknown.
Endpoint are able to Ping ISE Server as well host name, also able to resolve enroll.cisco.com
Dot1x is is successfully happening for endpoint, redirection is also working, posture status is showing Pending under Live Session on ISE.
Does any thing i nee to look why Posture is not working ?
Appreciate your Inputs here.
05-04-2018 06:51 PM
With ISE 2.1, you must rely on URL redirect for client to discover PSN, and it needs to be the PSN that authenticated client. One exception is the attempt to connect to previous PSN, but let's stick to new connection case. Therefore, you Discovery Host or resolution of enroll.cisco.com must resolve to a target beyond the redirection point and be a routeable target. If DH or enroll.cisco.com resolved to PSN, it will not work.
05-05-2018 01:24 AM
As you mentioned this issue happening randomly, please engage Cisco TAC to troubleshoot.
05-06-2018 03:32 AM
hslaichyps Thanks for the Input
I have taken TAC Support.
More about the issue is, when user logged on one PC posture scan is working and getting Complaint status, when the same user is logging on different PC AnyConnect after scan showing No Policy Server Detected.
After packet capture, we found that AnyConnect reaches the ISE and ISE was redirecting the AnyConnect to port 8905. When AnyConnect goes to that port ISE was sending Reset, on ISE we confirmed the port was Open. This is something weird why ISE was giving Reset.
TAC Engineer gone through support bundle and found some bugs along with high load average and suggested either Reload the Server or Upgrade to Patch 7.
As Temporary workaround we reloaded the box and after reload the issue got resolved of NO Policy Server.
Is there anything we need to look to resolve the Reset instead of going for Patch 7.
05-06-2018 04:42 AM
Please take the tac advice as they are tasked with troubleshooting and resolving break fix issues
05-06-2018 02:06 PM
I suspect it is a case where posture request sent to PSN that was no longer owner. If a specific defect flagged as being the fix, as we have added some logic to address such out of sync cases, then that would be the path to prevent future occurrences, else rely on ISE 2.2+ feature to provide Phase 2 discovery.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide