02-03-2022 04:08 PM
Hi, I'm Ivan, I have an issue with VPN Remote Access Split Tunnel + DUO + ISE Posture.
My issue is in the posture. The result in the any connect says: Policy Server no detected
ISE: PSN1/PSN2
Posture Profile Configuration: Call Home - PSN1/PSN2
Discovery Host: 72.163.1.80
ISE don't have dacl for redirection
ISE have dacl for compliant and no compliant
FTD:
access-list PER-GP-VPN_ST|splitAcl extended permit ip object 72.163.1.80 any
access-list PER-GP-VPN_ST|splitAcl extended permit ip object Net_10 any
access-list PER-GP-VPN_ST|splitAcl extended permit ip object Net_172 any
access-list PER-GP-VPN_ST|splitAcl extended permit ip object Net_192 any
access-list FTD-ACL-VPN_Redirection extended deny udp any4 host DNSSERVER1 eq domain log disable
access-list FTD-ACL-VPN_Redirection extended deny udp any4 host DNSSERVER2 eq domain log disable
access-list FTD-ACL-VPN_Redirection extended deny ip any4 host PSN1 log disable
access-list FTD-ACL-VPN_Redirection extended deny ip any4 host PSN2 log disable
access-list FTD-ACL-VPN_Redirection extended permit tcp any4 any4 eq www log disable
access-list FTD-ACL-VPN_Redirection extended permit tcp any4 any4 eq https log disable
access-list FTD-ACL-VPN_Redirection extended permit tcp any4 any4 eq 8443 log disable
access-list FTD-ACL-VPN_Redirection extended permit ip any4 host 72.163.1.80 log disable
PC Windows Cliente:
ISE Posture Profile says: Call Home List - PSN1, PSN2, Discovery Host: 72.163.1.80
PC Windows Cliente always get the dns corp. Using dns we can resolv the fqdn of PSN
Please can you help me, because I would like to find, which will be the reason for the error in AnyConnect client.
Regards.
I
02-04-2022 01:51 AM
Hi @ivan.martin,
Redirection ACL must be predefined on ASA/FTD, as it is not possible to push that one via dACL. However, on ISE you must have authorization profile calling for this predefined ACL (for the initial unknown profile). Also, probing host enroll.cisco.com (72.163.1.80) must be routed towards inside of your network, and must be included in split-tunnel, which is already done as I can see.
BR,
Milos
02-05-2022 06:45 AM
Totally agree with @Milos_Jovanovic
Note that in ISE you will require 3 different authz policies to support each posture state: unknown, compliant, non-compliant. Typically each status would have unique DACLs applied based on environment needs. Make sure too that you are allowing proper ports for posturing (client side 8905 for discovery): https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html.xml#ID-1420-000000ee
This also may help: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
02-05-2022 06:58 AM
Hi Milos, Mike
I did it. From pc client ise posture profile has DH towards Inside FTD, ACL redirect has also enroll.cisco.com with any port and Inside of FTD. 8905 port should be is in the acl for redirection in FTD? Or in DACL?.
I did lots thins without any result...Im start to think vpn remote access with posture ise in split tunnel is not supported on ftd. Moreover, ftd does not appear in compatibility matrix for ise 2.7 in posture service
02-05-2022 09:00 AM
I did lots thins without any result...Im start to think vpn remote access with posture ise in split tunnel is not supported on ftd. Moreover, ftd does not appear in compatibility matrix for ise 2.7 in posture service
-Please take a look at this guide and at the previously shared posture guide as they both should help identify workflow issue:
-Another great resource to aide in tshooting is installing DART on troubled client, and parsing posture module logs as that may help too.
8905 port should be is in the acl for redirection in FTD? Or in DACL?.
-The posture module uses port 8905 for a few items so I was suggesting that you take a look at required ports/protocols and make sure 8905 is not blocked in path between PSNs and clients in order for posture to work properly.
02-20-2022 05:48 PM
Hi Mike
Now, I can detect the policy server (psn), the difference was ACL split tunnel. But, my issue now is the ftd can not remove of posture pending status. The dacl is downloaded in the ftd, but it doesn't remove the state for compliance policy. Anyconnect says compliance but in the policy of redirection.
Do you have some advice?
Regards.
08-13-2023 08:27 PM
Hi Ivan,
I facing this before and I fixed it with open udp port 1700 from ise to ftd.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide