Cisco Cisco AnyConnect Secure Mobility Client v2.x Guia De Resolução De Problemas
not match, so it is a good idea to troubleshoot them one by one.
Remember that, regarding the redirect ACL, Cisco IOS
®
redirects on permit statements (so the ISE and DNS
IP addresses need to be denied) while AireOS on the WLC redirects on deny statements (so it is permitted for
ISE and DNS).
ISE and DNS).
Attributes Are in Place But Network Device Does Not Redirect
The major cause in this case is a configuration issue. You should review the configuration of the network
device against the configuration guide and configuration examples on Cisco.com. If this is the case, the
problem typically exists throughout all ports or access points (APs) of the network device. If not, the problem
might only occur on some switchports or some APs. If this is the case, you should compare the configuration
of those where the problem occurs compared to the ports or APs where the posture works fine.
device against the configuration guide and configuration examples on Cisco.com. If this is the case, the
problem typically exists throughout all ports or access points (APs) of the network device. If not, the problem
might only occur on some switchports or some APs. If this is the case, you should compare the configuration
of those where the problem occurs compared to the ports or APs where the posture works fine.
FlexConnect APs are sensitive because they can each have a unique configuration and it is easy to make a
mistake in an ACL or a VLAN in some APs and not others.
mistake in an ACL or a VLAN in some APs and not others.
Another common problem is that the client VLAN does not have an SVI. This only applies to switches and is
discussed in detail in ISE Traffic Redirection on the Catalyst 3750 Series Switch. Everything might look good
from the attributes perspective.
discussed in detail in ISE Traffic Redirection on the Catalyst 3750 Series Switch. Everything might look good
from the attributes perspective.
Interfering Downloadable Access−list (DACL)
If, at the same time as redirection attributes, you push a DACL back to the switch (or Airespace−ACL for a
wireless controller), then it could block your redirection. The DACL is applied first and determines what is
completely dropped and what goes on to be processed. Then the redirect ACL is applied and determines what
is redirected.
wireless controller), then it could block your redirection. The DACL is applied first and determines what is
completely dropped and what goes on to be processed. Then the redirect ACL is applied and determines what
is redirected.
What this concretely means is that most of the time, you will want to permit all HTTP and HTTPS traffic in
your DACL. If you block it, it will not be redirected since it will be dropped before that. It is not a security
concern, because that traffic will be redirected mostly on the redirect ACL after, so it is not really allowed on
the network; however, you need to permit those two types of traffic in the DACL in order for them to have a
chance to hit the redirect ACL right after.
your DACL. If you block it, it will not be redirected since it will be dropped before that. It is not a security
concern, because that traffic will be redirected mostly on the redirect ACL after, so it is not really allowed on
the network; however, you need to permit those two types of traffic in the DACL in order for them to have a
chance to hit the redirect ACL right after.
Bad NAC Agent Version
It is easy to forget that specific NAC agent versions are validated against specific versions of ISE. Many
administrators upgrade their ISE cluster and forget to upload the related NAC agent version in the client
provisioning results database.
administrators upgrade their ISE cluster and forget to upload the related NAC agent version in the client
provisioning results database.
If you use an outdated NAC agent version for your ISE code, be aware that it might work but it also might
not. So it is no surprise that some clients work and others do not. One way to verify is to go to the Cisco.com
download section of your ISE version and check which NAC agent versions are there. Typically there are
several supported for each ISE version. This web page gathers all matrixes: Cisco ISE Compatibility
Information.
not. So it is no surprise that some clients work and others do not. One way to verify is to go to the Cisco.com
download section of your ISE version and check which NAC agent versions are there. Typically there are
several supported for each ISE version. This web page gathers all matrixes: Cisco ISE Compatibility
Information.
HTTP Web Proxy Is in Use by Clients
The concept of an HTTP web proxy is that clients do not resolve website DNS IP addresses themselves nor
contact the websites directly; rather, they simply send their request to the proxy server, which takes care of it.
The typical problem with a usual configuration is that the client resolves a website (such as www.cisco.com)
by directly sending the HTTP GET for it to the proxy, which gets intercepted and rightfully redirected to the
ISE portal. However, instead of then sending the next HTTP GET to the ISE portal IP address, the client
continues to send that request to the proxy.
contact the websites directly; rather, they simply send their request to the proxy server, which takes care of it.
The typical problem with a usual configuration is that the client resolves a website (such as www.cisco.com)
by directly sending the HTTP GET for it to the proxy, which gets intercepted and rightfully redirected to the
ISE portal. However, instead of then sending the next HTTP GET to the ISE portal IP address, the client
continues to send that request to the proxy.