cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1874
Views
4
Helpful
31
Replies

Cisco RA VPN Issue only on mobile devices

justclash4
Level 1
Level 1

Hi there,

We have a weird issue. We can connect to our RA VPN with cisco secure client on Windows, MacOS and Linux but can not connect to that on both Android and IOS devices.

I turned on debug level for VPN troubleshooting and checked debug logs.

When connecting to RA VPN with a laptop, FTD sends username and password to AAA servers after TLS handshake and everything works well. But when connecting to RA VPN with mobile device, debug logs are different. I attached the screenshots of both situations.

Environment: FMCv standalone 7.2.8 - FTDv standalone 7.2.8

Thank you for your assistance

31 Replies 31

Authorize policy you push one IP for all anyconnect?

Remove this attribute abd use local pool in ftd instead and check again

MHM

No, this is just for testing. I can connect with desktop with this profile. And not connecting with mobile.

Based on TCP dump that I executed, issue is on cisco ise. but I dont know what is wrong.

In policy-set nothing related to client OS is configured. Is it possible that ISE check client OS by another attribute that I dont know?

Update:

I connected the ftd to a new ise server with the same policy-set that I've attached to previous comments and It works. But I dont know whats wrong with my current cisco ISE

Do you see hit count (in blue) appesr in you policy-set 

There are 15 hit for policy and 15 for authc and 9 for authz (customize authz policy)

Can you check if authz local/global exception have any hit.

Try use anyconnect and check hit count.

MHM

Local and Global exception are empty.

Does an event appear in the RADIUS live logs when your mobile device tries to connect? If so, please share the Accounting Detail Report (click "details" icon in the live log entry). If not, the the firewall is request to ISE is never sent (or never reaching). (If the latter case, it could also happen if the ISE nodes are not synced in the deployment - this is more rare but is known to happen. I once spend a half day troubleshooting before realizing the nodes were not synced.)

I just captured packets in both situations.
In a normal connection from desktop client, one radius request sent from ftd to ise and on radius response received from ise.

but when connecting with a mobile device, radius requests sent to ise but no response received.
the username and password that I am using on both clients are same.

Details page attached.

I checked. ISE nodes are synced

Marvin Rhoads
Hall of Fame
Hall of Fame

Your successful authentication screenshot shows a DAP (Dynamic Access Policy) is in effect. Have you checked that to make sure you aren't enforcing OS types?

We dont have DAP Policy, and I dont knnow why there is DAP related logs in my debug logs.

justclash4
Level 1
Level 1

I just captured packets in both situations.
In a normal connection from desktop client, one radius request sent from ftd to ise and on radius response received from ise.

but when connecting with a mobile device, radius requests sent to ise but no response received.
the username and password that I am using on both clients are same.

Can somebody help me?

justclash4
Level 1
Level 1

@Marvin Rhoads @MHM Cisco World 

I executed packet capture again and let it continue for about 90 second.

Cisco ISE response reach FTD after about 40 seconds. And the main issue is auth latency.

And its weird that auth latency only happens for mobile device with the same credentials.

The RADIUS Live Logs account detail report for the session should show you the timer for each step and allow you to analyze what is causing the latency.

Hi Friend 
as I mention before it seem ISE issue anyway I check my note I think it common issue in ISE with anyconnect (not all OS)
check the cisco suggestion 

Screenshot (696).png

I didnt understand. the traffic between ftd and ise and active-directory goes over wired links and not wireless.
 And the latency in auth steps is happening in ISE itself.
How can it be related to client connectivity?

Screenshot 2024-08-20 at 7.28.30 PM.png

the step have latency is ISE internal Steps not relate to client 
But if wifi client have less Authc timeout or FTD than other wired OS then this client will failed to authc 
to be sure 
check debug detail for both case see if both case have same latency 
if Yes 
then as I suggest before increase the authc timeout in FTD profile 
and try upgrade the ISE 

Screenshot 2024-08-20 at 7.28.30 PM.png