Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1427
Views
30
Helpful
6
Replies

Cisco FTD VPN Remote Access ISE Posture no policy server detected

ivan.martin
Level 1
Level 1

‎02-03-2022 04:08 PM

Hi, I'm Ivan, I have an issue with VPN Remote Access Split Tunnel + DUO + ISE Posture.

My issue is in the posture. The result in the any connect says: Policy Server no detected

 

ISE: PSN1/PSN2

Posture Profile Configuration: Call Home - PSN1/PSN2 

Discovery Host: 72.163.1.80

ISE don't have dacl for redirection

ISE have dacl for compliant and no compliant

 

FTD:

access-list PER-GP-VPN_ST|splitAcl extended permit ip object 72.163.1.80  any
access-list PER-GP-VPN_ST|splitAcl extended permit ip object Net_10  any
access-list PER-GP-VPN_ST|splitAcl extended permit ip object Net_172 any
access-list PER-GP-VPN_ST|splitAcl extended permit ip object Net_192  any
access-list FTD-ACL-VPN_Redirection extended deny udp any4 host DNSSERVER1 eq domain log disable
access-list FTD-ACL-VPN_Redirection extended deny udp any4 host DNSSERVER2 eq domain log disable
access-list FTD-ACL-VPN_Redirection extended deny ip any4 host PSN1 log disable
access-list FTD-ACL-VPN_Redirection extended deny ip any4 host PSN2 log disable
access-list FTD-ACL-VPN_Redirection extended permit tcp any4 any4 eq www log disable
access-list FTD-ACL-VPN_Redirection extended permit tcp any4 any4 eq https log disable
access-list FTD-ACL-VPN_Redirection extended permit tcp any4 any4 eq 8443 log disable
access-list FTD-ACL-VPN_Redirection extended permit ip any4 host 72.163.1.80 log disable

 

 

PC Windows Cliente:

ISE Posture Profile says: Call Home List - PSN1, PSN2, Discovery Host: 72.163.1.80

 

PC Windows Cliente always get the dns corp. Using dns we can resolv the fqdn of PSN

 

Please can you help me, because I would like to find, which will be the reason for the error in AnyConnect client.

 

Regards.

 

I

 

6 Replies 6

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎02-04-2022 01:51 AM

Hi @ivan.martin,

Redirection ACL must be predefined on ASA/FTD, as it is not possible to push that one via dACL. However, on ISE you must have authorization profile calling for this predefined ACL (for the initial unknown profile). Also, probing host enroll.cisco.com (72.163.1.80) must be routed towards inside of your network, and must be included in split-tunnel, which is already done as I can see.

BR,

Milos

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-05-2022 06:45 AM

Totally agree with @Milos_Jovanovic 

Note that in ISE you will require 3 different authz policies to support each posture state: unknown, compliant, non-compliant.  Typically each status would have unique DACLs applied based on environment needs.  Make sure too that you are allowing proper ports for posturing (client side 8905 for discovery): https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html.xml#ID-1420-000000ee

This also may help: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

 

 

ivan.martin
Level 1
Level 1
In response to Mike.Cifelli

‎02-05-2022 06:58 AM

Hi Milos, Mike

I did it. From pc client ise posture profile has DH towards Inside FTD, ACL redirect has also enroll.cisco.com with any port and Inside of FTD. 8905 port should be is in the acl for redirection in FTD? Or in DACL?.

I did lots thins without any result...Im start to think vpn remote access with posture ise in split tunnel is not supported on ftd. Moreover, ftd does not appear in compatibility matrix for ise 2.7 in posture service  

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to ivan.martin

‎02-05-2022 09:00 AM

I did lots thins without any result...Im start to think vpn remote access with posture ise in split tunnel is not supported on ftd. Moreover, ftd does not appear in compatibility matrix for ise 2.7 in posture service 

-Please take a look at this guide and at the previously shared posture guide as they both should help identify workflow issue:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html

-Another great resource to aide in tshooting is installing DART on troubled client, and parsing posture module logs as that may help too.

8905 port should be is in the acl for redirection in FTD? Or in DACL?.

-The posture module uses port 8905 for a few items so I was suggesting that you take a look at required ports/protocols and make sure 8905 is not blocked in path between PSNs and clients in order for posture to work properly.

ivan.martin
Level 1
Level 1
In response to Mike.Cifelli

‎02-20-2022 05:48 PM

Hi Mike

Now, I can detect the policy server (psn), the difference was ACL split tunnel. But, my issue now is the ftd can not remove of posture pending status. The dacl is downloaded in the ftd, but it doesn't remove the state for compliance policy. Anyconnect says compliance but in the policy of redirection.

Do you have some advice?

Regards.

0 Helpful

williamtan
Level 1
Level 1
In response to ivan.martin

‎08-13-2023 08:27 PM

Hi Ivan,

I facing this before and I fixed it with open udp port 1700 from ise to ftd. 

0 Helpful
Customers Also Viewed These Support Documents