02-24-2024 02:25 PM
Hello,
We had a perfectly functional ISE 2.7 posture deployment, but we had to upgrade to ISE 3.2.
We set up another deployment & imported our 2.7 conf into the 3.2. Since then, our computers never go through the full posture process.
We're using Anyconnect for posture. When we boot the computer & log into it, the posture is shown as "compliant" on the endpoint, and the report is actually sent to ISE (we can see it in the reports), but our ISE never sends back a CoA to modify the authorization profile.
So our computer is stuck with the authorization profile that it gets while the posture status is "unknown", because on ISE, posture status remains as "pending" forever in the live logs.
We can fix this with one of the following methods:
When we do any of these actions, the posture is re-evaluated, the status sent to ISE, and it works correctly because ISE will now really get the "compliant" status of the posture, and send a CoA. The authorization profile is then updated on the switchport.
I've opened a TAC case but I'm hoping somebody has faced the same issue and managed to solve it.
02-26-2024 07:31 AM - edited 02-26-2024 07:31 AM
Do you see the CoA packet leaving ISE? Do you have a log for CoA on ISE? Does the NAD have a dynamic author entry for the new 3.2 ISE nodes? What patch on ISE 3.2?
02-26-2024 11:15 AM
Hello,
It's Patch 4. Yes, we have the dynamic author configured. It used to work in 2.7, not in 3.2 anymore.
One of the logs I've seen is that we get a line in live logs for the affected computers that states "Compliant". If I open that log, it states that it's going to send a CoA to update the authorization profile.
But it never does, and I can't see those CoA in the firewall logs either... I'll check for some other machines again tomorrow.
Another issue I've been facing since 3.2 is that periodic re-assessment completely fails ("reassessment failed") when it's triggered automatically by the reassessment period (configured at 1 hour for us). But if we initiate the process manually by ticking/unticking the "block untrusted servers" checkbox, it works perfectly fine.
It's been a real headache to figure out if our Anyconnect version is the issue, or the ISEPostureConfig.xml file that is not correct for 3.2, or something else I'm not thinking of.
02-26-2024 11:23 AM
Reload the PSN and see if the problem is resolved. I had a customer with a very similar issue recently. A reload corrects the issue. They are working with Cisco TAC on a long-term resolution.
02-26-2024 11:36 AM
... that's right, we never tried to reload any PSN. Will do that tomorrow and let you know. Thanks for the idea.
02-28-2024 09:00 AM
Unfortunately, the PSN reboot did not solve the issue and TAC couldn't figure it out either. We'll see how it goes.
02-28-2024 09:25 AM
Give TAC CSCwi38377
03-27-2024 07:27 AM
Hello!
Any update regarding this problem? I'm affraid we are also affected by this issue.
BR
03-27-2024 07:46 AM
Hi,
Unfortunately my Cisco TAC ticket is still opened and they have not managed to solve it yet.
The bug mentioned that suggested we should reboot our ISE nodes does not seem to work for us. I've tried rebooting all of them (PAN/SAN/PSN), no difference.
We do see the CoA being sent on ISE, and I saw it on my firewalls as well, but somehow the wrong profile/authorization policy seems to be selected.
Our workaround is to grant the same dACL regardless of what profile is chosen (UNKNOWN posture or COMPLIANT).
I'll update this post once we finally solve this.
03-28-2024 03:41 AM
Hello!
Thank you for your update!
Meanwhile we have opened a TAC case also and referenced the bugID mentioned above.
If we manage to figure out a permanent workaround or solution I will update you as well.
BR
08-16-2024 12:57 AM
Hello everyone
I have the same issue, did you solve it?
09-02-2024 12:14 AM
Well, the problem was solved but we are not sure what has fixed it.
- The nodes were stopped and restarted separately.
- And the Redirect ACL was changed, it shouldn't have effect on the problem since the Posture was initiated in either way, only the ISE did not interpret the Compliant assessment.
So I don't know.... but the TAC has closed the ticket, without clear clarification.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide