Re: Post migration from ASA to FTD, macOS users not redirected - AnyConnect

dgaikwad · ‎12-06-2020

Hi Experts,

I have posted this same query on AnyConnect forums, but also wanted get a view from ISE's end.

Last week we have migrated from ASA to FTD. With no changes in policies or any other configuration on ISE's end. The configuration is good as it is.

Issue:
macOS endpoints are not able to find ISE server

Troubleshooting:
After migration its observed that the Windows endpoints are able to connect to VPN just fine. That is when they connect, policy server is detected and posture scan is run and compliant endpoints are granted access.
But with the macOS endpoints, it observed that authentication works, but they are not able to find the ISE server and run the posture.

These same endpoints were working when we were utilizing ASA for VPN access.
I have tested on macOS Catalina and Big Sur, but the end results is the same.
The VPN policies, client provisioning and authorization policies remain unchanged on ISE.

Has anyone faced this issue? Any pointers?

paul · ‎12-07-2020

How are you doing posture discovery on the FTD? Are you sure the posture redirect ACL is being pushed out by the FMC?

I would verify that you aren't having this problem on Windows devices as well. Go to your C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture and delete any of the files you see there. Restart the AnyConnect ISE posture module and then connect to VPN. This will force the Windows client to go through first time discovery. The XML files in that directory help clients that have already connected find the ISE nodes. It can sometimes mask issues with the discovery process.