We have a two Interface distributed deployment for ISE 2.4 patch 9. (Two Sites: 1 PAN, 2 PSNs, 1 Mnt per site)
In this deployment we are using two interfaces per PSN:
Gig0 is for management traffic only and for the registration between PAN and PSNs. (On the PSN we have a static routes pointing to the mgmt. gateway for the subnets that we are using to mange the PSNs for ssh and https). --> Interface name== FQDN == saryd2-isesrv-psn01.Customer.com
Gig1 is used for all related radius and posture traffic. (Radius, URL Redirection, and posture assessment) (we have a default route pointing to the Radius interface gateway for the rest of the subnets “which are the NAD subnets and the endpoints subnets). --> Interface name = saryd2-isesrv-psn01-gig1.Customer.com
Now we are expecting that the traffic from the Endpoints will communicate with ISE only on the Radius interface (we are not expecting any traffic will be destined to the PSN management interface from the Endpoint subnets).
All use cases which are using the AnyConnect Agent (Wired, Wireless, and VPN) doesn’t have any issues.
The issue is with the Use cases in which are using the temporal agent for both wired and wireless. (for posture assessment traffic only)
Below is the process flow for the Temporal Agent and the step that has the issue:
Connecting the laptop to wired or wireless network --> success.
Redirection web-page is displayed using the Radius interface host-name in the URL --> success.
We are able to download the Temporal Agent --> Success.
When we run the Temporal agent we receive the issue “Not able to reach the policy server” --> Failed.
After checking the logs that have been provided by the Temporal agent (Diagnostics logs), we found that the Temporal agent is discovering the PSN using its FQDN (Hostname+Domain name) which resolves by the Gig0 IP Address (management IP address) --> which is not reachable from the Endpoints subnets.
++++++++++++++++Temporal Agent debug files from the Endpoint machine+++++++++++
Line: 339 Level: info :ISE Discovery attributes - FQDN(saryd2-isesrv-psn01.Customer.com), Port(8443), Session ID(d-FWQ7uMREO4rZ8wNw3R8Q)
Line: 250 Level: debug :GET request to URL (https://saryd2-isesrv-psn01.Customer.com:8443/auth/ac-provisioning?portal-session-id=d-FWQ7uMREO4rZ8wNw3R8Q), returned status -1 <Operation Failed.>
Line: 201 Level: debug :Status of Provisioning target saryd2-isesrv-psn01.Customer.com with sessionID (d-FWQ7uMREO4rZ8wNw3R8Q) and port (8443) is 6 <Not Reachable.>
Line: 160 Level: error :Invalid server (or) Server not found
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We were expecting is that the Temporal agent will discover the PSN using its Radius interface IP address, It seems that this is the default behaviour for the temporal agent.
do we have any way to enforce the Temporal Agent to discover the PSN using its radius interface?
Thanks for your support.
... View more
