Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2738
Views
15
Helpful
5
Replies

Session lookup failure when applying an ANC Policy

Go to solution
Chess Norris
Level 4
Level 4

‎07-09-2019 05:29 AM - edited ‎07-09-2019 05:33 AM

Hi,

 

I am running ISE 2.4 and Firepower FTD 6.4 with the ANC function to quarantine endpoints and that has been working fine, but we recently changed ISE servers and run into problems. On the Firepower side I have created new certificates and configured the pxGrid services with the new ISE servers, etc. The pxGrid part is working so I know the communication to the new ISE servers are working.  However when trying to trigger a quarantine event from Firepower, I get the following  error message   "ISE was contacted, but it couldn't find a session for the specified IP address" I then tried to manually apply the ANC policy directly from ISE, but I get a "Session lookup Failure" when trying to apply it to the endpoint. I also see this error in the Context visibility menu - "15039 Rejected per authorization profile".  However, I can see the the authenticated endpoint in both the switch and in the radius live log, so the authentication part seams to work fine. I have tried to recreate the same ANC policy that we used in our old ISE server, but I guess something is missing. Any ideas on how I can troubleshoot this?

 

Thanks and regards

/Jörgen

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to paul

‎07-10-2019 08:44 AM

Paul is correct here. Please verify that you see the endpoint in the session directory and double check that RADIUS accounting is set up correctly. If you continue to run into problems, please reach out to the TAC to troubleshoot further.

Regards,
-Tim

View solution in original post

5 Replies 5

Go to solution
paul
Level 10
Level 10

‎07-10-2019 06:31 AM

Seeing the authenticated session on the switch side and the live logs is really irrelevant for ANC policy application.  The key question is do you see the MAC address in the live session table?   That means ISE has a current active session for it and can make ANC policy applications to it.  If you don't see the live session there I would suspect you have AAA accounting messed up on the switch side or for some reason ISE is not processing accounting correctly.  You can look at the RADIUS Accounting report under Endpoints and Users.  Filter on the MAC address and confirm start messages are being received.

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to paul

‎07-10-2019 08:44 AM

Paul is correct here. Please verify that you see the endpoint in the session directory and double check that RADIUS accounting is set up correctly. If you continue to run into problems, please reach out to the TAC to troubleshoot further.

Regards,
-Tim

Go to solution
Chess Norris
Level 4
Level 4
In response to paul

‎07-10-2019 09:15 AM

Thanks for the suggestions. I am not at the customer site until tomorrow, but I will check if I can see the MAC address in the live session table. The old ISE servers are still there so I also have the option to point the switch back to them and compare when testing. I will let you know how it goes.

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4
In response to Chess Norris

‎07-11-2019 12:25 AM

Just a quick update. I can see the MAC address under the live session log and I am also able to do CoA actions on the endpoint. It's only the ANC policy that fails with the "session lookup failure"  (See screenshots) 

Preview file
26 KB
Preview file
65 KB
0 Helpful

Go to solution
Richard Lu
Level 1
Level 1

‎04-01-2021 07:53 AM

Hello Jorgen

We are experiencing same problem. Do you mind sharing how do you fix it?

0 Helpful
Customers Also Viewed These Support Documents