Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1126
Views
1
Helpful
4
Replies

ISE Posture client error -- This client version is old and not compatible

aravikumar
Level 1
Level 1

‎05-25-2018 02:40 PM

Hello all,

I was wondering if anybody could provide some guidance regarding this scenario.  We have deployed ISE 2.4 and we're trying to use Posture.  However, when using AnyConnect client 4.6.00362 with ISE compliance module 4.2.1538.0 on a Windows 10 client, we get the error that says "This client version is old and not compatible.  Please install the new version."

We also performed a test with Anyconnect 4.5.5030.0, as well as compliance module 4.2.1477.0 and any combination of the four elements, and they all yield the same error.

When we used compliance module 3.6.11161.2, Posture scans worked and the endpoint connected to the network as expected.

We also did one final test with ISE 2.3, and ANY COMBINATION of the two compliance modules and anyconnect clients yielded the desired result and the endpoint was able to connect to the network.

Could anyone provide any troubleshooting steps or has anyone encountered this issue that can share their experience with us?  The test case works with ISE 2.3 but NOT with 2.4.

Thank you for your time and consideration.

Be well

Labels:
Preview file
42 KB
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎05-28-2018 05:36 PM

Please engage Cisco TAC support to troubleshoot. It's likely something to do with your list of posture requirements and how ISE responding to some of them.

With ISE 2.4, AC Windows 4.6.00362 and CM 4.2.1538.0 are working for me on Windows 10 Enterprise 2016 LTSB.

Screen Shot 2018-05-28 at 5.32.38 PM.png

0 Helpful

aravikumar
Level 1
Level 1
In response to hslai

‎05-30-2018 12:23 PM

Hi Hslai,

Thank you for your response. We have found the breaking point. When posture policy is configured for any posture check condition other than  'Bitlocker posture check', the posture scanning works as per expectation and the network access is allowed after posture is successful.

But when the Bitlocker condition is enabled, the AnyConnect Client throws the same error "This client version is old and not compatible.  Please install the new version." Can you please check on your side ?



Here we tested with ISE 2.4, AnyConnect Windows 4.6.00362, Compliance Module 4.2.1477.0 and Endpoint OS Windows 7 Professional.


Please find attached document for setting we have configured. I am curious is it Anyconnect defect or ISE defect.



Bitlocker posture policy.png

Bitlocker condition.png

ERROR.png

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to aravikumar

‎05-30-2018 02:24 PM

I am able to recreate when the disk location selected is All Internal Drives. It working fine if specific location, so this is not a regression.

I logged a new bug CSCvj73573 and it should be visible in a day or two.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to aravikumar

‎05-31-2018 11:53 AM

It turns out that the support for "All Internal Drives" requires AC 4.6 MR1, which released on 2018-May-28, besides ISE 2.4.

I am in discussion with our dev team to get it clarified in documentations.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents