This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am running ISE 2.4 and Firepower FTD 6.4 with the ANC function to quarantine endpoints and that has been working fine, but we recently changed ISE servers and run into problems. On the Firepower side I have created new certificates and configured the pxGrid services with the new ISE servers, etc. The pxGrid part is working so I know the communication to the new ISE servers are working. However when trying to trigger a quarantine event from Firepower, I get the following error message "ISE was contacted, but it couldn't find a session for the specified IP address" I then tried to manually apply the ANC policy directly from ISE, but I get a "Session lookup Failure" when trying to apply it to the endpoint. I also see this error in the Context visibility menu - "15039 Rejected per authorization profile". However, I can see the the authenticated endpoint in both the switch and in the radius live log, so the authentication part seams to work fine. I have tried to recreate the same ANC policy that we used in our old ISE server, but I guess something is missing. Any ideas on how I can troubleshoot this?
Thanks and regards
Solved! Go to Solution.
Seeing the authenticated session on the switch side and the live logs is really irrelevant for ANC policy application. The key question is do you see the MAC address in the live session table? That means ISE has a current active session for it and can make ANC policy applications to it. If you don't see the live session there I would suspect you have AAA accounting messed up on the switch side or for some reason ISE is not processing accounting correctly. You can look at the RADIUS Accounting report under Endpoints and Users. Filter on the MAC address and confirm start messages are being received.
Thanks for the suggestions. I am not at the customer site until tomorrow, but I will check if I can see the MAC address in the live session table. The old ISE servers are still there so I also have the option to point the switch back to them and compare when testing. I will let you know how it goes.