Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3197
Views
0
Helpful
6
Replies

Posture fail when admin node is down

Go to solution
Philip Vilhelmsson
Level 1
Level 1

‎06-24-2019 02:52 AM

Hi,

 

I am running ISE 2.6 p1 in a distributed setup with separate Pri admin, Sec admin, Pri monitor, Sec montitor and a few PSN.

I have a wierd issue that then the PSN loose connection to the primary admin node then posture fail. Anyconnect stays on "Checking requirement 1 of 1" for a while and then gives me error "Posture failed due to server issues".

The only requirement I have is to check if the antimalware software is installed or not.

 

According to the documentation from Cisco the admin node should be able to fail without impacting posture. 

I can't figure out why the admin node is required to be online for posture to work. Do you have any idea?

 

Regards

Philip

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Philip Vilhelmsson

‎06-29-2019 12:26 AM

I suggest creating TAC SR to determine root cause. For that posture policy active PAN should not be needed.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-24-2019 05:32 AM

Are your PANs configured for failover? If they are then if the primary goes down then the secondary should become the primary in X amount of time. If they are not I recommend enabling it and running a test where you basically halt services on PAN1, failover to PAN2, and run the posture test.
You could install and run DART on one of the workstations to gather more descriptive logs locally. Also, on the switch you could run some debugs:
debug aaa coa
debug radius
The default CoA port is udp 1700. Ensure that is not blocked. HTH!
0 Helpful

Go to solution
Philip Vilhelmsson
Level 1
Level 1
In response to Mike.Cifelli

‎06-24-2019 07:29 AM

Hi,

 

I did some tests with failover. During the time of failover Posture does not work, but as son as PAN2 becomes Primary admin then Posture starts working.

If I cut the connection between PSN and both PANs then Posture stops working.

In the switch I can see that user authentication is successfull, but then nothing more happens.

The switch and PSN are on the same VLAN.

I have gathered DART logs, but I am unsure what too look for. At first glance I dont see anything special that can be wrong.

 

 

What I fail to understand is why PSN needs connection to PAN when the only thing I am doing is checking if AVG Antivirus is installed on the computer.

 

Regards

Philip

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Philip Vilhelmsson

‎06-29-2019 12:26 AM

I suggest creating TAC SR to determine root cause. For that posture policy active PAN should not be needed.

0 Helpful

Go to solution
jont717
Level 1
Level 1

‎03-25-2020 07:17 AM

Any update on this?  My 2.6 patch 5 is doing the exact same thing.  

 

Every get it fixed? 

0 Helpful

Go to solution
bravotom99
Level 1
Level 1

‎02-20-2021 04:48 PM

Did you ever sort this out?  we saw this recently during an upgrade to 2.6.  Opened a TAC case but haven't specifically been told why it posture took a hit yet.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to bravotom99

‎02-20-2021 07:07 PM - edited ‎02-20-2021 07:07 PM

Hi @bravotom99 

 are you having Posture's issues when Primary PAN is shutdown, but Posture has no issues when Primary PAN has the Database Server state as running and the Application Server still in the initializing state?

PS.: check ISE's process state with show application status ise.

 

Hope this helps !!!

0 Helpful
Customers Also Viewed These Support Documents