Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
0
Helpful
4
Replies

Post migration from ASA to FTD, macOS users not redirected - AnyConnect

dgaikwad
Level 5
Level 5

‎12-04-2020 02:48 AM

Hi Experts,

Last week we have migrated from ASA to FTD. With no changes in policies or any other configuration on ISE's end. The configuration is good as it is.

Issue:
macOS endpoints are not able to find ISE server

Troubleshooting:
After migration its observed that the Windows endpoints are able to connect to VPN just fine. That is when they connect, policy server is detected and posture scan is run and compliant endpoints are granted access.
But with the macOS endpoints, it observed that authentication works, but they are not able to find the ISE server and run the posture.

These same endpoints were working when we were utilizing ASA for VPN access.
I have tested on macOS Catalina and Big Sur, but the end results is the same.
The VPN policies, client provisioning and authorization policies remain unchanged on ISE.

Has anyone faced this issue? Any pointers?

Labels:
0 Helpful
4 Replies 4

Mark Elsen
Hall of Fame
Hall of Fame

‎12-04-2020 03:33 AM

 

 - What is the exact error as seen on the Macs ?      2) Is there any info found in the ftd-anyconnect logs  ?         3) Is there anything in the ISE logs ?

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

dgaikwad
Level 5
Level 5
In response to Mark Elsen

‎12-04-2020 06:36 AM

1. There are no errors reported on the Macs, they just sit there after doing looking for a policy server

2. The things that I checked are, DACL gets applies, I can see that the posture redirection is ACL is also applied and the AnyConnect information is also captured - Is there anything apart from this that I need to collect? Or anything specific that I need to look into.

3. ISE logs show that the correct redirection policy and profiles are applied to the endpoint, there are no errors or anything (this is the same authentication and authorization policies for Windows as well)

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to dgaikwad

‎12-04-2020 08:07 AM

 

 - It's probably a 'far away shot' , but at least on one Mac I would try to remove Anyconnect , then re-install and see what is the result (?)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

dgaikwad
Level 5
Level 5
In response to Mark Elsen

‎12-06-2020 08:48 PM

No, uninstall and reinstall has not been tried yet...But will give it a try.
Also, is there anything specific that I shall be looking at the FTD logs?

0 Helpful
Customers Also Viewed These Support Documents