Hi All,

 Apologies if this is in the wrong area, but it covers a few.

I'm setting up RA VPN using Anyconnect client 4.6, ASA headends are 5545's running 9.9. I am also integrating ISE 2.4.
The clients currently authenticate via certificate on the ASA, then with AD credentials via ISE, this all seems to work nicely. The problem comes when I try to set up posturing/compliance, I can get the posturing module to find the policy server, and redirect url for provisioning works, and also DACL is enforced whilst client is in an 'unknown compliance' authorisation profile. However when the client finishes successful compliancy scan and sends result to ISE, the ISE then sends a CoA request to the ASA for that particular session, as expected, but the ASA logs 'CoA (Action type 43) from 'ISE server ip' failed for user 'username', with session ID 'session id'. Action not supported.

 Wireshark shows it sending AVP subscriber:command=reauthentcicate, and coa-push+true amongst others.

 The Cisco docs say the log means the packet is correctly formed but the action is unsupported, I'm using the default Cisco device profile on ISE with CoA settings. If I send a CoA terminate session request from ISE, it is successful.

 I'm struggling to find any similar problem online and I don't have much experience with CoA, so I'm thinking I've maybe set something up wrong.

 Anyone got any ideas? Would be greatly appreciated.