cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
78864
Views
56
Helpful
14
Replies

AnyConnect System Scan: No policy server detected.

Hi,

Our customer has ISE Posturing for their laptops when they are on the VPN and also when they are on the Wired Network. For this, they use AnyConnect 4.8.

 

When they are on the VPN, they connect successfully. The System Scan run successfully and they are complaint and allowed onto the network.

 

When they are on the Wired Network, they get "System Scan: No policy server detected. Default network access is in effect"

 

When I go onto ISE to troubleshoot and put in the MAC address of the client, it cannot find the client. We are not using Client Provisioning as the AnyConnect is deploy via Windows SCCM.

 

I have configured the policy element, posture policy, conditions, remediations and policy sets. I've went through everything in this link "https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273"

 

Is there anything else that I need to do.

 

I am using ISE 3.0.

2 Accepted Solutions

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

Couple of things to consider/try:

-I would strongly recommend upgrading AnyConnect as 4.8 is ancient.

System Scan: No policy server detected. Default network access is in effect

-This can mean a couple of things; I would check how the ISEPostureCFG.xml settings; specifically the call home list and discovery host list.  Perhaps you have misconfigured something there. 

-Ensure that nothing is blocking the posture module discovery probe (firewall/acls in place?)

-Have you generated a DART bundle to view local client AC event viewer logs?

-Have you ran a tcpdump from ISE side to verify traffic is getting there?

 

View solution in original post

Hi @Anthony O'Reilly ,

Note: you can find ISEPostureCFG.XML at

. Microsoft: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\
. MAC OS: /opt/cisco/anyconnect/profile/

 1st At Work Centers > Posture > Client Provisioning > Client Provisioning Policy, check the Rule for your Wired Network, attention to the Agent Result

 2nd At Work Centers > Posture > Client Provisioning > Resources, check the Agent Result of "1st", attention to the ISE Posture

 3rd At Work Centers > Posture > Client Provisioning > Resources, check the ISE Posture of "2nd", attention to the Call Home List and Discovery Host.

 

Hope this helps !!!

View solution in original post

14 Replies 14

Mike.Cifelli
VIP Alumni
VIP Alumni

Couple of things to consider/try:

-I would strongly recommend upgrading AnyConnect as 4.8 is ancient.

System Scan: No policy server detected. Default network access is in effect

-This can mean a couple of things; I would check how the ISEPostureCFG.xml settings; specifically the call home list and discovery host list.  Perhaps you have misconfigured something there. 

-Ensure that nothing is blocking the posture module discovery probe (firewall/acls in place?)

-Have you generated a DART bundle to view local client AC event viewer logs?

-Have you ran a tcpdump from ISE side to verify traffic is getting there?

 

Hi Mike,

 

ISe posturing needs to be deployed yesterday so the plan is to upgrade AnyConnect at the start of next year.

 

-This can mean a couple of things; I would check how the ISEPostureCFG.xml settings; specifically the call home list and discovery host list.  Perhaps you have misconfigured something there. 

Where do I find this ISEPostureCFG.xml file. AnyConnect was installed on the client, there were no options to add in call home list etc... Do I download the ISe posturing policy editor and add in the details, save the file as ISEPostureCFG.xml. Where do I put this file?

 

-Ensure that nothing is blocking the posture module discovery probe (firewall/acls in place?)

100% nothing is blocking the traffic from Client to ISE and vice-versa.

 

-Have you generated a DART bundle to view local client AC event viewer logs?

Working on this now.

 

-Have you ran a tcpdump from ISE side to verify traffic is getting there?

Working on this now.

Hi @Anthony O'Reilly ,

Note: you can find ISEPostureCFG.XML at

. Microsoft: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\
. MAC OS: /opt/cisco/anyconnect/profile/

 1st At Work Centers > Posture > Client Provisioning > Client Provisioning Policy, check the Rule for your Wired Network, attention to the Agent Result

 2nd At Work Centers > Posture > Client Provisioning > Resources, check the Agent Result of "1st", attention to the ISE Posture

 3rd At Work Centers > Posture > Client Provisioning > Resources, check the ISE Posture of "2nd", attention to the Call Home List and Discovery Host.

 

Hope this helps !!!

Hi Mike,

 

I was missing the client resources and also the ISEPostureCFG.xml

 

All working as expected now.

Mike.Cifelli
VIP Alumni
VIP Alumni

The info @Marcelo Morais shared is accurate

 

You can also create an ISEPostureCFG.xml via the AnyConnect Profile Editor - specifically the ISE Posture Profile Editor and then upload to ISE for deployment and/or manually add it to the respective location on a test client.  Do note though that changes on ISE side to support this would still be required (AnyConnect Config - Profile Selection area).  

 

Any luck with DART bundle logs? I have utilized bundles in the past to point me in the right direction to fix an issue.  

amirminhat
Level 1
Level 1

Hi @Anthony O'Reilly 

 

I am having the same issue. "The System Scan is showing the same status "No Policy Server Detected". We also use a pre-deploy approach via SCCM and install Core-VPN and ISE-Posture module. 

 

But the thing is, when we tried with a Web-Deploy approach with URL redirection, client download the AnyConnect and installed, it is working as expected with the compliance checking and all.

 

This is only happened with the pre-deploy approach. I am not sure why ? 

 

The ISEPostureCFG.xml file were missing in the path C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\”. for both type of deployment approach. But for web-deploy is working but not pre-deploy.

Hi @amirminhat 

 

You need to deploy the ISEPostureCFG.xml file to the device.

 

You can download the Posture policy editor, create the config file and deploy this file to your device(s) via GPO, SCCM or whatever way suits your organisation.

 

The ISE policy editor ( Profile Editor (Windows) tools-anyconnect-win-4.10.03104-profileeditor-k9.msi) is available to download here: 

https://software.cisco.com/download/home/286281283/type/282364313/release/4.10.03104

Hi @Anthony O'Reilly 

 

Thank you for the fast reply. Correct me if im wrong, so the profile editor is to create the config file (.xml) and need to deploy at the folder path C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\. of the client endpoints.

 

Does the .xml file needed to be uploaded on ISE as well ? or just need to be deployed on the client endpoints only. Because from the ISE CPP resources I can only import files with .pkg and .dmg format.

Mike.Cifelli
VIP Alumni
VIP Alumni

FYSA

The ISEPostureCFG.xml goes here on Win clients: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

 

Does the .xml file needed to be uploaded on ISE as well ? or just need to be deployed on the client endpoints only. Because from the ISE CPP resources I can only import files with .pkg and .dmg format.

-This all depends on if you use CPP to provision clients.  If you wish to rely on CPP, the profile selection area when configuring an AnyConnect Configuration profile requires that you select an ISE Posture profile to push to clients when hitting a CPP with the respective result.  You have the ability to import .xml files.  Go to Policy->Policy Elements->Results->Client Provisioning->Resources: Click Add: Agent Resources from Local Disk: Customer Created: AnyConnect Profile: <your profile>

HTH!

HI @Mike.Cifelli 

 

I have tried created the ISEPostureCFG.xml using the Profile Editor and uploaded on the headend. Also deployed on the right path on the clients but the issue remains with "No Policy Server Detected". Call home list with the FQDN and Discovery host is the ISE IP address.

 

For your insights, we are trying to implement both types of deployment. 
1st approach. Using Pre-Deploy via SCCM.

2nd appriach. Using Web-Deploy. (this is to cover the remaining clients that are unsuccessfully deployed via SCCM)

 

Do I have to create TWO separate AnyConnect profile on ISE (CPP Resources) ? One is for the pre-deploy by importing customer created package and one more is created directly from the Resources. And how do actually Anyconnect select the profile on ISE and match. And how about the Policy Sets ? Because of the CPP, I have only configured Authorization Rules and Authz Profiles for CPP Redirection, Compliant and Non-Compliant. Because of this, even when we pre-deployed the AnyConnect, it will return the CPP Portal and ask user for download even the AnyConnect is already there. Since the Anyconnect is unable to detect the policy server.

 

Appreciate your ideas on this.

 

Thanks !

Mike.Cifelli
VIP Alumni
VIP Alumni

I am going to try to cover most of the questions.  I strongly recommend taking a peek at the following resources to understand the workflow: ISE Posture Prescriptive Deployment Guide - Cisco Community

 

Do I have to create TWO separate AnyConnect profile on ISE (CPP Resources) ?

-No.  You have the option to manually create it in ISE itself, or via profile editor and the upload method.

 

One is for the pre-deploy by importing customer created package and one more is created directly from the Resources. And how do actually Anyconnect select the profile on ISE and match.

-You only need 1 profile in the respective shared location.

 

And how about the Policy Sets ? Because of the CPP, I have only configured Authorization Rules and Authz Profiles for CPP Redirection, Compliant and Non-Compliant.

-There should be three states.  Unknown, which is what clients are first matched/deemed against, compliant or noncompliant which is the result post assessment.  See shared documentation above.

 

Because of this, even when we pre-deployed the AnyConnect, it will return the CPP Portal and ask user for download even the AnyConnect is already there. Since the Anyconnect is unable to detect the policy server.

-If you wish to eliminate the pop up you can remove the redirect in the authz profile.  However, if clients need to be fully provisioned it is typically recommended to leave as is.

 

Lastly, I would take a client that is having the issue of reaching ISE and generating a DART bundle.  From there check logs to help troubleshoot the issues.  Good luck & HTH!

 

patrick.T.A
Level 1
Level 1

Hello Dear All,

Was someone able to resolve this issue. I am currently facing the exact issue with ise 3.0 patch 4, anyconnect ise posture 4.10 core vpn 4.10 and compliance module 4.3. 

Everything work in webdeploy installation but when coming to predeploy through gpo the anyconnect is not able to found the psn.

 
Could you solve the problem?
What actions did you apply?

abhijit-yadav
Level 1
Level 1

I have same problem but the strange thing is it works absolutely fine with One ISP and also with Mobile Hotspot. However, No Policy Server detected error comes with another ISP at my home which I recently installed for WFH. What could be the difference? Tried fresh latest installation.