Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2767
Views
0
Helpful
4
Replies

Redirection Based Posture

ISEduo
Level 1
Level 1

‎06-13-2020 11:03 AM - edited ‎06-13-2020 11:21 AM

Hi, I am seeing a strange behavior of Anyconnect Posture Module. I am trying to do redirection based Posture scan for my clients and it does not work. For some strange reasons clients says enroll.cisco.com timeout from DART logs. I tested that and I can successfully resolve enroll.cisco.com from the client and access posture portal manually from the client browser. But the Posture modules writes "No Policy Server Detected".

 

It runs with Anyconnect 4.8 and ISE 2.6

 

I activated both ip http and ip http secure on the switch.

 

 

My Redirect ACL on SW:

deny udp any bootpc any eq bootps

deny udp any any domain

deny ip any host PSN1

deny ip any host PSN2

permit tcp any any eq 80

 

(I do not see any matches)

 

 

 

From DART bundle:

 

2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target 10.10.10.1.
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target ::.
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::http_discovery_callback Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 385 Level: info Time out for Redirection target enroll.cisco.com.
2020/06/11 14:00:29 [Warning] aciseagent Function: ConfigData::loadXMLCfgFile Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libnaccommon\configdata.cpp Line: 46 Level: warn ISEPostureCFG.xml not found, using defaults.
2020/06/11 14:00:29 [Warning] aciseagent Function: SwiftHttpRunner::addPreviouslyConnectedHeadendsToTargetList Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 750 Level: warn No previously connected headends found.
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::collectMntTargets Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1227 Level: debug Probing MNT stage targets (#1): Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery, .
2020/06/11 14:00:29 [Information] aciseagent Function: SwiftHttpRunner::probeNextMntTarget Thread Id: 0x219C File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 1456 Level: debug Probing Mnt stage Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery.

1 person had this problem
0 Helpful
4 Replies 4

Anurag Sharma
Cisco Employee
Cisco Employee

‎06-13-2020 01:23 PM

Hi @ISEduo ,

Since redirection is not happening on the switch, let's check a couple of things:

  1. Do you have Dynamic-Author configured on the switch?
  2. Are you seeing the end-user's IP address in the output of 'show auth session inter Gi x/y detail' ?
  3. Are you seeing any packets from the end-user's IP address (take packet captures on the PSN)?

If you are able to resolve enroll.cisco.com, that's great. The way it will be used is that when the client sends a HTTP-GET request to enroll.cisco.com, it will be redirected by the switch, to the ISE IP. 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful

ISEduo
Level 1
Level 1
In response to Anurag Sharma

‎06-13-2020 01:50 PM

Hi Anurag,

 

See my answers below.

 

  1. Do you have Dynamic-Author configured on the switch? Yes
  2. Are you seeing the end-user's IP address in the output of 'show auth session inter Gi x/y detail' ? Yes, I do. I also see the session ID and URL for the portal.
  3. Are you seeing any packets from the end-user's IP address (take packet captures on the PSN)? I dident test this.

 

Thanks !

0 Helpful

Anurag Sharma
Cisco Employee
Cisco Employee
In response to ISEduo

‎06-13-2020 02:33 PM

Make sure the redirect ACL name is exactly the same as the one on the switch. Any typo, upper/lower-case mismatch can also be a problem.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful

ISEduo
Level 1
Level 1
In response to Anurag Sharma

‎06-13-2020 03:20 PM

OK. Seems to be correct on both ends.

 

Are these two lines mandatory for the switch?

 

ip http active-session-modules none
ip http secure-active-session-modules none

0 Helpful
Customers Also Viewed These Support Documents
Top