Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
2
Replies

Unable to get session from session cache

Francisco de Asis Gomez Marin
Level 1
Level 1

‎04-08-2013 09:03 AM - edited ‎03-10-2019 08:17 PM

Hi,

  I have a working distributed deployment and only one user got into this problem today when rebooting his PC. The user and machine were authenticated successfully but the ISE remain the state on the POSTURE-REMEDIATION, with the NAC Agent running but not appearing. It has connectivity with the PSN but the SWISS packets (UDP 8905) are being sent to the gateway as destination instead of to the PSN IP address. The PSNs IP address also resides in the DiscoveryHost tag of NACAgentCFG.xml so the client should know where to go.

  This is the failure reason:

Imágenes integradas 1

Any help?

Regards,

Labels:
0 Helpful
2 Replies 2

bhthapa
Level 1
Level 1

‎04-09-2013 08:31 AM

First you should ensure that the discovery host address on the  Cisco NAC  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC  agent  icon, chooses Properties, and checks the discovery host.) Also  check  that the access switch allows Swiss communication between Cisco  ISE and  the end client machine.

Limited access ACL applied for the session should allow Swiss ports:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host 80.0.80.2 eq 443 --> for URL redirect

permit tcp any host 80.0.80.2 eq www --> Provides access to internet

permit tcp any host 80.0.80.2 eq 8443 --> for guest portal port

permit tcp any host 80.0.80.2 eq 8905 --> for posture communication   between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 -->for posture communication   between NAC agent and ISE (Swiss ports)

deny ip any any

After doing this if the agent login dialog still does not appear, it   could be a certificate issue. Please check t the certificate that is   used for Swiss communication on the end client is in the Cisco ISE   certificate trusted list. Also check that the default gateway is   reachable from the client machine.

0 Helpful

Francisco de Asis Gomez Marin
Level 1
Level 1
In response to bhthapa

‎04-09-2013 08:48 AM

All of this conditions are fine since the rest of the users of the deployment are working without problems.

0 Helpful
Customers Also Viewed These Support Documents