@John Bautista so one side the encaps counters are increasing, are the decaps counters increasing on the other side? Provide the output of "show crypto ipsec sa" from both sides for comparison.
Is this static route correct? route Site_B 192.100.0.0 2...
@CCC3 only replacing the admin certificate requires the ISE application services to restart. Renewing the EAP authentication certificate will not require downtime.
@alliasneo1
What about the voice-domain permission pushed down to the NAD?
Your dot1x tx-period is not excessively long, so I would not expect the endpoint to time out waiting for a DHCP request. I've a customer with also with mitel phones and tx-per...
@Sonflaa cisco recently released this guide to harden Remote Access VPN guides:- https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html#toc-hId-1707182889
@alliasneo1 when the switch is in closed mode, is the phone actually successfully authenticated and authorised in ISE?
Are you pushing down the voice domain permission as well? https://www.ciscopress.com/articles/article.asp?p=2091952&seqNum=4