cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

842
Views
15
Helpful
5
Replies
Chess Norris
Beginner

Session lookup failure when applying an ANC Policy

Hi,

 

I am running ISE 2.4 and Firepower FTD 6.4 with the ANC function to quarantine endpoints and that has been working fine, but we recently changed ISE servers and run into problems. On the Firepower side I have created new certificates and configured the pxGrid services with the new ISE servers, etc. The pxGrid part is working so I know the communication to the new ISE servers are working.  However when trying to trigger a quarantine event from Firepower, I get the following  error message   "ISE was contacted, but it couldn't find a session for the specified IP address" I then tried to manually apply the ANC policy directly from ISE, but I get a "Session lookup Failure" when trying to apply it to the endpoint. I also see this error in the Context visibility menu - "15039 Rejected per authorization profile".  However, I can see the the authenticated endpoint in both the switch and in the radius live log, so the authentication part seams to work fine. I have tried to recreate the same ANC policy that we used in our old ISE server, but I guess something is missing. Any ideas on how I can troubleshoot this?

 

Thanks and regards

/Jörgen

1 ACCEPTED SOLUTION

Accepted Solutions

Paul is correct here. Please verify that you see the endpoint in the session directory and double check that RADIUS accounting is set up correctly. If you continue to run into problems, please reach out to the TAC to troubleshoot further.

Regards,
-Tim

View solution in original post

5 REPLIES 5
paul
Advocate

Seeing the authenticated session on the switch side and the live logs is really irrelevant for ANC policy application.  The key question is do you see the MAC address in the live session table?   That means ISE has a current active session for it and can make ANC policy applications to it.  If you don't see the live session there I would suspect you have AAA accounting messed up on the switch side or for some reason ISE is not processing accounting correctly.  You can look at the RADIUS Accounting report under Endpoints and Users.  Filter on the MAC address and confirm start messages are being received.

Paul is correct here. Please verify that you see the endpoint in the session directory and double check that RADIUS accounting is set up correctly. If you continue to run into problems, please reach out to the TAC to troubleshoot further.

Regards,
-Tim

View solution in original post

Thanks for the suggestions. I am not at the customer site until tomorrow, but I will check if I can see the MAC address in the live session table. The old ISE servers are still there so I also have the option to point the switch back to them and compare when testing. I will let you know how it goes.

Just a quick update. I can see the MAC address under the live session log and I am also able to do CoA actions on the endpoint. It's only the ANC policy that fails with the "session lookup failure"  (See screenshots) 

Richard Lu
Beginner

Hello Jorgen

We are experiencing same problem. Do you mind sharing how do you fix it?

Content for Community-Ad