cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

809
Views
0
Helpful
1
Replies
Highlighted
Beginner

ISE WebAgent not able to download with error Failed to download Cisco Agent ( Status = -2) !

Hi

We are able to get till WebAgent download page and while downling WebAgent we get below error...

Failed to download Cisco Agent ( Status = -2) ! . We tried with many laptops and for all we get same error while downloading the WebAgent ...

We also verified Latest Java & ActiveX components available on every laptops which we used for downloading WebAgent..

Attached the Screenshot of the WebAgent Download process

DACL Posture_Remediation used is as below

permit udp any any eq domain

icmp any any

permit tcp any host <PSN IP Address> eq 8443

permit tcp any any eq 80

permit tcp any any eq 443

permit tcp any host <PSN IP Address> eq 8905

permit tcp any host <PSN IP Address> eq 8909

permit udp any host <PSN IP Address> eq 8905

permit udp any host <PSN IP Address> eq 8906

permit tcp any host < Remediation Server> eq 80

Even we add permit ip any host <PSN IP Address> ,as last acl rule in DACL , still we were getting same error while downloading ...

Did any face the same issue , how it was resolved

Everyone's tags (2)
1 REPLY 1
Cisco Employee

ISE WebAgent not able to download with error Failed to download

This is seen when the required traffic is not allowed on the ACL.

ISE 1.1.1 added ports 8909 TCP and UDP for client download so we needed to add this into the Posture ACL.

permit tcp any any eq 8909

permit udp any any eq 8909

If you have clients with proxy failing to get the redirection then you should add 8080 to the switch.

ip http port 8080

ip port-map http port 8080

On the redirect ACL

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8080

I see you've already tried with permit ip any host

Jatin Katyal


- Do rate helpful posts -

~Jatin Katyal