08-19-2024 06:09 AM
Hi there,
We have a weird issue. We can connect to our RA VPN with cisco secure client on Windows, MacOS and Linux but can not connect to that on both Android and IOS devices.
I turned on debug level for VPN troubleshooting and checked debug logs.
When connecting to RA VPN with a laptop, FTD sends username and password to AAA servers after TLS handshake and everything works well. But when connecting to RA VPN with mobile device, debug logs are different. I attached the screenshots of both situations.
Environment: FMCv standalone 7.2.8 - FTDv standalone 7.2.8
Thank you for your assistance
Solved! Go to Solution.
08-21-2024 03:03 AM
the step have latency is ISE internal Steps not relate to client
But if wifi client have less Authc timeout or FTD than other wired OS then this client will failed to authc
to be sure
check debug detail for both case see if both case have same latency
if Yes
then as I suggest before increase the authc timeout in FTD profile
and try upgrade the ISE
08-22-2024 07:42 AM
I installed Patch-9 on our ISE 3.1 and then issue has been resolved.
08-19-2024 06:13 AM
what auth you use for this RA VPN ?
MHM
08-19-2024 06:14 AM
Radius Authentication with Cisco ISE
08-19-2024 06:50 AM
Can yoh share
Debug webvpn anyconnect 255
For both cases
MHM
08-19-2024 08:08 AM
I ran that command, How should I export that for you?
Did you see the attached screenshots?
08-19-2024 08:11 AM
Screenshots is OK
And last screenshots ypu share debug is mix from anyconnect and aaa traffic I need to debug only anyconnect
MHM
08-19-2024 09:17 AM
This is when using mobile device. VPN logging in debug mode. and that debug command executed.
Normal situation will be attached in next comment
08-19-2024 09:43 AM
Normal connection with a laptop.
08-19-2024 11:05 AM
the AAA server group failed
show aaa-server <<- check this command see if there is reject or timeout
also do capture on interface direct to AAA servers see if FTD send packet or not to AAA
MHM
08-19-2024 11:06 AM
I just captured packets in both situations.
In a normal connection from desktop client, one radius request sent from ftd to ise and on radius response received from ise.
but when connecting with a mobile device, radius requests sent to ise but no response received.
the username and password that I am using on both clients are same.
08-19-2024 11:07 AM
Also, I did perform show aaa-server and all of them are ACTIVE
08-19-2024 11:13 AM
share show aaa-server <<-
also if you use condition in ISE match specific OS then ISE will not reply, this mostly issue with policy set in ISE
MHM
08-20-2024 12:01 AM
08-20-2024 03:13 AM
it issue of ISE
there are timeout count and accept count
timeout count is high
can I see policy-set of ISE
MHM
08-20-2024 03:47 AM - edited 08-20-2024 03:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide