cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

987
Views
5
Helpful
1
Replies
dgaikwad
Contributor

Post migration from ASA to FTD, macOS users not redirected - AnyConnect

Hi Experts,

I have posted this same query on AnyConnect forums, but also wanted get a view from ISE's end.

Last week we have migrated from ASA to FTD. With no changes in policies or any other configuration on ISE's end. The configuration is good as it is.

Issue:
macOS endpoints are not able to find ISE server

Troubleshooting:
After migration its observed that the Windows endpoints are able to connect to VPN just fine. That is when they connect, policy server is detected and posture scan is run and compliant endpoints are granted access.
But with the macOS endpoints, it observed that authentication works, but they are not able to find the ISE server and run the posture.

These same endpoints were working when we were utilizing ASA for VPN access.
I have tested on macOS Catalina and Big Sur, but the end results is the same.
The VPN policies, client provisioning and authorization policies remain unchanged on ISE.

Has anyone faced this issue? Any pointers?

1 REPLY 1
paul
Advocate

How are you doing posture discovery on the FTD?  Are you sure the posture redirect ACL is being pushed out by the FMC? 

 

I would verify that you aren't having this problem on Windows devices as well.  Go to your C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture and delete any of the files you see there.  Restart the AnyConnect ISE posture module and then connect to VPN.  This will force the Windows client to go through first time discovery.  The XML files in that directory help clients that have already connected find the ISE nodes.  It can sometimes mask issues with the discovery process.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube