Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Unable to get session from session cache


  I have a working distributed deployment and only one user got into this problem today when rebooting his PC. The user and machine were authenticated successfully but the ISE remain the state on the POSTURE-REMEDIATION, with the NAC Agent running but not appearing. It has connectivity with the PSN but the SWISS packets (UDP 8905) are being sent to the gateway as destination instead of to the PSN IP address. The PSNs IP address also resides in the DiscoveryHost tag of NACAgentCFG.xml so the client should know where to go.

  This is the failure reason:

Imágenes integradas 1

Any help?



First you should ensure that the discovery host address on the  Cisco NAC  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC  agent  icon, chooses Properties, and checks the discovery host.) Also  check  that the access switch allows Swiss communication between Cisco  ISE and  the end client machine.

Limited access ACL applied for the session should allow Swiss ports:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host eq 443 --> for URL redirect

permit tcp any host eq www --> Provides access to internet

permit tcp any host eq 8443 --> for guest portal port

permit tcp any host eq 8905 --> for posture communication   between NAC agent and ISE (Swiss ports)

permit udp any host eq 8905 -->for posture communication   between NAC agent and ISE (Swiss ports)

deny ip any any

After doing this if the agent login dialog still does not appear, it   could be a certificate issue. Please check t the certificate that is   used for Swiss communication on the end client is in the Cisco ISE   certificate trusted list. Also check that the default gateway is   reachable from the client machine.


All of this conditions are fine since the rest of the users of the deployment are working without problems.

Content for Community-Ad