Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2119
Views
0
Helpful
2
Replies

CISCO ISE POSTURE FAILED TO INSTALL REDIRECT URL

pinjar84062
Level 1
Level 1

‎01-07-2022 12:02 AM

Dear ALL,

Hope all are good.

We are deploying cisco ise posture with Cisco FTD any connect VPN. Our ise version is 3.0 and the FTD version is 6.4. When we did connect any connect VPN below error is showing:

 

"The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway. Failed to install Redirect URL.

Our ise side radius log status is permitted and posture status is pending. We have attached ISE side log for your better view. Please suggest to us how can we resolve the problem.

 

Regards,

Samiul

1 person had this problem
Labels:
Preview file
50 KB
Preview file
64 KB
Preview file
94 KB
0 Helpful
2 Replies 2

Meddane
VIP
VIP

‎10-30-2022 08:33 AM

Make sure the redirect ACL is configured on FTD, and also make sure that the same name of the redirect ACL is referenced in the authorization profile that redirect end user to the client provisioning portal.

0 Helpful

Sheraz.Salim
VIP
VIP

‎10-30-2022 01:42 PM

from the client laptop/computer while connected to anyconnect. Run the wireshark and capture the packet (capture the packet on the anyconnect nic).

You can launch the Wireshark on the AnyConnect adapter to see the redirect process on the packet level

In case the AnyConnect adapter is not available in the adapters list in Wireshark, follow the procedure below to fix this:

Exit Wiresharkf

Launch CMD as an Administrator

Enter the command ‘sc stop npf’ and press Enter

Enter the command ‘sc start npf’ and press Enter

Start Wireshark once again

The following filter can be used in Wireshark to filter all events related to redirection ‘dns||http||tcp.port==8443’

 

 

on your last post from picture3 we see the attributes ISE is pushing to the ASA which show the redirect ACL and URL. On the ASA CLI, can you see the attributes are applied by using the “show vpn-sessiondb detail anyconnect” command. the output will be in this manner

ASAv# show vpn-sessiondb detail anyconnect
<output omitted>
Pkts Tx : 10 Pkts Rx : 16
Pkts Tx Drop : 0 Pkts Rx Drop : 0
ISE Posture:
Redirect URL : https://posture.securelabtest.com:8443/portal/gateway?sessionId=c6130a640000f0005c27dy27&portal=7b2ff1a...
Redirect ACL : POSTURE-REDIRECT

if you see this it most probably your ise portal page is not reachable.

also make sure your access-list is configured properly.

ASA# show access-list POSTURE-REDIRECT
access-list POSTURE-REDIRECT line 1 extended permit tcp any any eq www
access-list POSTURE-REDIRECT line 2 extended deny udp any any eq domain
access-list POSTURE-REDIRECT line 3 extended deny tcp any host ISE-Appliance eq 8443
access-list POSTURE-REDIRECT line 4 extended permit ip any any
please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents