Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4254
Views
0
Helpful
5
Replies

anyconnect vpn client showing compliant, but not inISE

nikhilcherian
Level 5
Level 5

‎08-13-2018 10:58 AM - edited ‎03-11-2019 01:48 AM

In my setup, I have ASA Version 9.6(4)8 & ISE 2.2 patch 8. When I try for VPN posturing, I see the below

 

  1. Client connect to the VPN
  2. Client goes thru the Auth ( i have created internal users for VPN)
  3. Client is moved to posture unknown state
  4. ISE pushes the ISEPostureCFG.xml to the client. 
  5. I have given any AV install check & any AV update check
  6. If my AV is not updated, I get the warning
  7. If there is no compliance module in the laptop, ISE pushes the posture module
  8. My windows client validates the posture conditions.
  9. anyconnect shows posture compliant
  10. However in ISE client is still stuck in the posture-compliant state & client keeps redirecting to the ISE if open a browser
  11. I am using anyconnect-4.5.04029
  12. I have enabled dynamic authorization in the ASA  & I can see "coa-push=true" in the Cisco AV  pair in ISE
  13. In the ASA, client is still seen with the REDIRECT ACL

How can I troubleshoot the issue

Thanks

Nikhil

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎08-13-2018 12:25 PM

There is good example and step by step guides available here :

 

https://www.cisco.com/c/en/us/support/security/identity-services-engine-2-2/model.html#ConfigurationExamplesandTechNotes

 

May be you have already looked at them(if so ignore it)

 

There is good guide posture check with step by step logs to verify.

 

BB

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

RichardAtkin
Level 3
Level 3

‎08-13-2018 01:20 PM

You say the Client is still stuck doing Posture in ISE, even after the Client passes the checks?

Does ISE receive a Posture Report from the Client? I would guess not - can you check your ACLs / FW rules to ensure you have all the ports and protocols things open?
0 Helpful

Timothy Abbott
Cisco Employee
Cisco Employee

‎08-14-2018 08:36 AM

Verify the endpoint is matching the proper authorization rule after CoA is sent to the ASA. It could be that the endpoint is matching a provisioning rule instead of a compliant rule. If not, I suggest opening a TAC case to troubleshoot further.

Regards,
-Tim
0 Helpful

misinsuan2229
Level 1
Level 1

‎03-18-2020 09:11 PM

Was this resolve? I am also getting similar issues on random VPN clients which is having ISE posture requirement. This issue is intermittent on our side and not all is getting the issue.

0 Helpful

NiTech
Level 1
Level 1
In response to misinsuan2229

‎03-19-2020 01:38 AM

Hi Team,

I have also faced the same issues on posturing. As per my experience please check the below.

* check radius request and posturing request are coming on the same PSN.

* check COA between ISE and ASA

* Check the port 8443 is open or not from client to ISE.

* check enroll.cisco.com is resolved from ASA.

For your reference : https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

0 Helpful
Customers Also Viewed These Support Documents