Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
Components used
The information in this document is based on these software and hardware versions:
ISE Version1.2.x
•
NAC Agent for ISE Version 4.9.x
•
AnyConnect Version 4.0
•
Note: The information should also be applicable to other releases of ISE unless the release notes indicate
major behavioral changes.
major behavioral changes.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Troubleshooting Methodology
What makes the agent pop up?
The agent pops up when it discovers an ISE node. If the agent senses that it does not have full network access
and is in a posture redirection scenario, it constantly looks for an ISE node.
and is in a posture redirection scenario, it constantly looks for an ISE node.
There us a Cisco.com document that explains the details of the agent discovery process: Network Admission
Control (NAC) Agent Discovery Process for Identity Services Engine. In order to avoid content duplication,
this document only discusses the key point.
Control (NAC) Agent Discovery Process for Identity Services Engine. In order to avoid content duplication,
this document only discusses the key point.
When a client connects, it undergoes a RADIUS authentication (MAC filtering or 802.1x) at the end of which,
ISE returns the redirection Access Control List (ACL) and the redirection URL to the network device (switch,
Adaptive Security Appliance (ASA), or Wireless controller) in order to restrict the client traffic to only allow
it to obtain an IP address and Domain Name Server (DNS) resolutions. All HTTP(S) traffic that comes from
the client is redirected to a unique URL on ISE that ends with CPP (Client Posture and Provisioning), except
traffic destined to the ISE portal itself. The NAC agent sends a regular HTTP GET packet to the default
gateway. If the agent receives no answer or any other answer than a CPP redirection, it considers itself to have
full connectivity and does not proceed with posturing. If it receives an HTTP response that is a redirection to a
CPP URL at the end of a specific ISE node, then it continues the posture process and contacts that ISE node.
It only pops up and starts the analysis when it successfully receives the posture details from that ISE node.
ISE returns the redirection Access Control List (ACL) and the redirection URL to the network device (switch,
Adaptive Security Appliance (ASA), or Wireless controller) in order to restrict the client traffic to only allow
it to obtain an IP address and Domain Name Server (DNS) resolutions. All HTTP(S) traffic that comes from
the client is redirected to a unique URL on ISE that ends with CPP (Client Posture and Provisioning), except
traffic destined to the ISE portal itself. The NAC agent sends a regular HTTP GET packet to the default
gateway. If the agent receives no answer or any other answer than a CPP redirection, it considers itself to have
full connectivity and does not proceed with posturing. If it receives an HTTP response that is a redirection to a
CPP URL at the end of a specific ISE node, then it continues the posture process and contacts that ISE node.
It only pops up and starts the analysis when it successfully receives the posture details from that ISE node.
The NAC agent also reaches out to the configured discovery host IP address (it does not expect more than one
to be configured). It expects to be redirected there as well in order to get the redirection URL with the session
ID. If the discovery IP address is an ISE node, then it does not pursue because it waits to be redirected in order
to get the right session ID. So the discovery host is usually not needed, but can be useful when set as any IP
address in the range of the redirect ACL in order to trigger a redirection (like in VPN scenarios, for example).
to be configured). It expects to be redirected there as well in order to get the redirection URL with the session
ID. If the discovery IP address is an ISE node, then it does not pursue because it waits to be redirected in order
to get the right session ID. So the discovery host is usually not needed, but can be useful when set as any IP
address in the range of the redirect ACL in order to trigger a redirection (like in VPN scenarios, for example).
Possible Causes
Redirection Does Not Happen
This is the most common cause by far. In order to validate or invalidate, open a browser on the PC where the
agent does not pop up and see if you are redirected to the posture agent download page when you type any
URL. You can also type a random IP address such as http://1.2.3.4 in order to avoid a possible DNS issue (if
an IP address redirects but a website name does not, you can look at DNS).
agent does not pop up and see if you are redirected to the posture agent download page when you type any
URL. You can also type a random IP address such as http://1.2.3.4 in order to avoid a possible DNS issue (if
an IP address redirects but a website name does not, you can look at DNS).