cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

894
Views
0
Helpful
6
Replies

Posture fail when admin node is down

Hi,

 

I am running ISE 2.6 p1 in a distributed setup with separate Pri admin, Sec admin, Pri monitor, Sec montitor and a few PSN.

I have a wierd issue that then the PSN loose connection to the primary admin node then posture fail. Anyconnect stays on "Checking requirement 1 of 1" for a while and then gives me error "Posture failed due to server issues".

The only requirement I have is to check if the antimalware software is installed or not.

 

According to the documentation from Cisco the admin node should be able to fail without impacting posture. 

I can't figure out why the admin node is required to be online for posture to work. Do you have any idea?

 

Regards

Philip

1 ACCEPTED SOLUTION

Accepted Solutions

I suggest creating TAC SR to determine root cause. For that posture policy active PAN should not be needed.

View solution in original post

6 REPLIES 6
Mike.Cifelli
VIP Advocate

Are your PANs configured for failover? If they are then if the primary goes down then the secondary should become the primary in X amount of time. If they are not I recommend enabling it and running a test where you basically halt services on PAN1, failover to PAN2, and run the posture test.
You could install and run DART on one of the workstations to gather more descriptive logs locally. Also, on the switch you could run some debugs:
debug aaa coa
debug radius
The default CoA port is udp 1700. Ensure that is not blocked. HTH!

Hi,

 

I did some tests with failover. During the time of failover Posture does not work, but as son as PAN2 becomes Primary admin then Posture starts working.

If I cut the connection between PSN and both PANs then Posture stops working.

In the switch I can see that user authentication is successfull, but then nothing more happens.

The switch and PSN are on the same VLAN.

I have gathered DART logs, but I am unsure what too look for. At first glance I dont see anything special that can be wrong.

 

 

What I fail to understand is why PSN needs connection to PAN when the only thing I am doing is checking if AVG Antivirus is installed on the computer.

 

Regards

Philip

I suggest creating TAC SR to determine root cause. For that posture policy active PAN should not be needed.

View solution in original post

jont717
Beginner

Any update on this?  My 2.6 patch 5 is doing the exact same thing.  

 

Every get it fixed? 

bravotom99
Beginner

Did you ever sort this out?  we saw this recently during an upgrade to 2.6.  Opened a TAC case but haven't specifically been told why it posture took a hit yet.

Hi @bravotom99 

 are you having Posture's issues when Primary PAN is shutdown, but Posture has no issues when Primary PAN has the Database Server state as running and the Application Server still in the initializing state?

PS.: check ISE's process state with show application status ise.

 

Hope this helps !!!

Content for Community-Ad