cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1722
Views
45
Helpful
12
Replies
kostasthedelegate
Enthusiast

Posture Failure

Hello, 

 

I have a pc that cannot complete posturing. 

It shows the below error

kostasthedelegate_0-1612452702354.png

 

I have tried reinstalling the anyconnect client but it does not change. 

The pc was compliant awhile ago on ISE, but now it fails. 

 

Any ideas?

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

"Failed to load compliance module"

literately means just that -- the ISE Posture module (tile System Scan) is unable to load the library file of ISE Compliance module. It could be not installed properly, corrupted file, OS/security preventing AnyConnect ISE Posture from accessing it.

View solution in original post

VITALII BELYI
Beginner

The new compliance module (4.3.1728.6145) fixed the problem itself!

View solution in original post

12 REPLIES 12
Mike.Cifelli
VIP Advocate

Can you share the following that may better assist the community with troubleshooting:

-Client OS version

-Anyconnect modules versions

-AnyConnect Compliance module version

Things to consider:

Has anything on the host changed between now and when it was working? Is it possible that another piece of software is preventing it from working (AV/AppLocker/FW)?  Check event viewer logs for AnyConnect to see if something sheds some light.  

See here for workflow: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

kostasthedelegate
Enthusiast

Hello @Mike.Cifelli,

 

Thanks for the answer

Client OS version:                                                            Windows 10 Enterprise LTSC 10.0 (17763)

Anyconnect modules versions                                    4.8.03036

AnyConnect Compliance module version               4.8.03036

 

I show the event viewer also but I cannot figure out the output. 

 

Hi @kostasthedelegate 

 the latest AnyConnect Compliance Module is 4.3.1680.6145, please double check the info that you provided (AnyConnect Compliance module version 4.8.03036).

 Please, double check:

1. if the Cisco AnyConnect Secure Mobility ISE Posture Agent is running on the Windows Services !!!

2. the Compliance Module version, on the AnyConnect > click the cog > System Scan > Statistics tab ... check for the Compliance Module Version

 

Hope this helps !!!

joseponceiii
Beginner

I actually have the same error now but in VPN not in Wired. We are testing the latest compliance module 4.3.1680.6145 in our lab environment before rolling this out in production. Odd thing is we only see this error in company issued laptops and we never seen this in non-corporate machines. We're looking into something our BeyondTrust policy. If anyone has seen or any idea about the error would be great help. 


Many thanks,

"Failed to load compliance module"

literately means just that -- the ISE Posture module (tile System Scan) is unable to load the library file of ISE Compliance module. It could be not installed properly, corrupted file, OS/security preventing AnyConnect ISE Posture from accessing it.

View solution in original post

VITALII BELYI
Beginner

I have the same problem after upgrade to the latest compliance module 4.3.1680.6145.

Снимок экрана 2021-02-12 в 13.55.03.png

Hi @VITALII BELYI 

 please take a look at %ProgramFiles%\Cisco\Cisco AnyConnect Secure Mobility Client\opswat for the Compliance Module installation.

 

Hope this helps !!!

Hi Marcelo Almeida De Morais, thank you for your reply!

I looked at path. There are a lot of files and look like everything is good. But the diagnose tool report is below

1.png

 

 

 

kostasthedelegate
Enthusiast

Hello, 

 

I took a DART dump and I see the below on "Cisco AnyConnect ISE Posture Module" folder

 

2021/02/08 06:53:32 [Error] aciseposture Function: hs_file_verify_with_killdate Thread Id: 0x13FC File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libcommon\hs_file_verify_win.c Line: 412 Level: error unable to verify file signature: (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\acas.dll).
2021/02/08 06:53:32 [Error] aciseposture Function: hs_dl_load_alt Thread Id: 0x13FC File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libcommon\hs_dlhandler.c Line: 232 Level: error file signature invalid, not loading library (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\acas.dll)..
2021/02/08 06:53:32 [Error] aciseposture Function: COpswat::GetInstance Thread Id: 0x13FC File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libopswat\libopswat.cpp Line: 58 Level: error Failed to create plugin instance. Error: Not Found.
2021/02/08 06:53:32 [Error] aciseposture Function: PostureInfo::GetInstalledProductReport Thread Id: 0x13FC File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libposture\postureinfo.cpp Line: 825 Level: error Failed to load compliance module..

 

So ok it fails to load compliance module, but why?

Mike.Cifelli
VIP Advocate

I would do two things:

-Check the AnyConnect Secure Mobility Client & the ISE Posture module event viewer logs line by line before, during, & after testing.

-Do a complete uninstall of every module, and re-test with latest versions on same client + additional clients for more data points.

Saurabh Dhakate
Cisco Employee

Can you please check if below dlls are present in mentioned locations? 

>acas.dll in C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\

>libwaapi.dll in C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\opswat\

These are OPSWAT dlls which are required for posture assessment. If these dlls aren't present & issue is for specific user, user can try manually reinstalling Compliance Module (CM) locally on the endpoint using pre-deploy build. If these dlls aren't present & issue is for multiple users, please push latest CM to all the enpoints through ISE using web-deploy build. Upgrading the CM though is same as uninstalling old CM version and installing new updated CM. 

 

Regards,

Saurabh

VITALII BELYI
Beginner

The new compliance module (4.3.1728.6145) fixed the problem itself!

View solution in original post

Content for Community-Ad