01-07-2022 12:02 AM
Dear ALL,
Hope all are good.
We are deploying cisco ise posture with Cisco FTD any connect VPN. Our ise version is 3.0 and the FTD version is 6.4. When we did connect any connect VPN below error is showing:
"The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway. Failed to install Redirect URL.
Our ise side radius log status is permitted and posture status is pending. We have attached ISE side log for your better view. Please suggest to us how can we resolve the problem.
Regards,
Samiul
10-30-2022 08:33 AM
Make sure the redirect ACL is configured on FTD, and also make sure that the same name of the redirect ACL is referenced in the authorization profile that redirect end user to the client provisioning portal.
10-30-2022 01:42 PM
from the client laptop/computer while connected to anyconnect. Run the wireshark and capture the packet (capture the packet on the anyconnect nic).
You can launch the Wireshark on the AnyConnect adapter to see the redirect process on the packet level
In case the AnyConnect adapter is not available in the adapters list in Wireshark, follow the procedure below to fix this:
Exit Wiresharkf
Launch CMD as an Administrator
Enter the command ‘sc stop npf’ and press Enter
Enter the command ‘sc start npf’ and press Enter
Start Wireshark once again
The following filter can be used in Wireshark to filter all events related to redirection ‘dns||http||tcp.port==8443’
on your last post from picture3 we see the attributes ISE is pushing to the ASA which show the redirect ACL and URL. On the ASA CLI, can you see the attributes are applied by using the “show vpn-sessiondb detail anyconnect” command. the output will be in this manner
ASAv# show vpn-sessiondb detail anyconnect
<output omitted>
Pkts Tx : 10 Pkts Rx : 16
Pkts Tx Drop : 0 Pkts Rx Drop : 0
ISE Posture:
Redirect URL : https://posture.securelabtest.com:8443/portal/gateway?sessionId=c6130a640000f0005c27dy27&portal=7b2ff1a...
Redirect ACL : POSTURE-REDIRECT
if you see this it most probably your ise portal page is not reachable.
also make sure your access-list is configured properly.
ASA# show access-list POSTURE-REDIRECT
access-list POSTURE-REDIRECT line 1 extended permit tcp any any eq www
access-list POSTURE-REDIRECT line 2 extended deny udp any any eq domain
access-list POSTURE-REDIRECT line 3 extended deny tcp any host ISE-Appliance eq 8443
access-list POSTURE-REDIRECT line 4 extended permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide