cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1485
Views
1
Helpful
2
Replies

ASA CoA problem with ISE

DAVIES604
Level 1
Level 1

Hi All,

 

 Apologies if this is in the wrong area, but it covers a few.

 

I'm setting up RA VPN using Anyconnect client 4.6, ASA headends are 5545's running 9.9. I am also integrating ISE 2.4.
The clients currently authenticate via certificate on the ASA, then with AD credentials via ISE, this all seems to work nicely. The problem comes when I try to set up posturing/compliance, I can get the posturing module to find the policy server, and redirect url for provisioning works, and also DACL is enforced whilst client is in an 'unknown compliance' authorisation profile. However when the client finishes successful compliancy scan and sends result to ISE, the ISE then sends a CoA request to the ASA for that particular session, as expected, but the ASA logs 'CoA (Action type 43) from 'ISE server ip' failed for user 'username', with session ID 'session id'. Action not supported.

 

 Wireshark shows it sending AVP subscriber:command=reauthentcicate, and coa-push+true amongst others.

 

 The Cisco docs say the log means the packet is correctly formed but the action is unsupported, I'm using the default Cisco device profile on ISE with CoA settings. If I send a CoA terminate session request from ISE, it is successful.

 

 I'm struggling to find any similar problem online and I don't have much experience with CoA, so I'm thinking I've maybe set something up wrong.

 

 Anyone got any ideas? Would be greatly appreciated.

2 Replies 2

networksi08690
Level 1
Level 1
109104 error : CoA failed, Action not supported

usually occurs because that RADIUS server is in FAILED state in (another) AAA group on the ASA.

check show aaa-servers output

@networksi08690 the original post is 6 years old. I would hope they figured it out by now.

Review Cisco Networking for a $25 gift card