Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
3
Replies

ISE 3.1 Call Home List configuration not working

kylerossd
Level 4
Level 4

‎04-18-2023 08:48 PM

Hello,

I have always done ISE deployments with redirecitons for posture.  I was working in the lab for many hours now trying to solve why I cannot get my AnyConnect client to report compliance to ISE with the call-home functionality.  I have created the ISEPostureCFG.xml file and installed it in the correct folder.  However, the ISE posture module just says that a ploicy server cannot be found.

<?xml version="1.0" encoding="UTF-8"?>
<cfg
	xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
	xmlns='http://www.cisco.com/nac/agent/config-1.0'
	xsi:schemaLocation='http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd'>
	<configName>ISEPostureCFG.xml</configName>
	<NacAnyConnectDrpDown>AnyConnectAgent</NacAnyConnectDrpDown>
	<BackOffTimerLimit>30</BackOffTimerLimit>
	<LogTrace>0</LogTrace>
	<CwaByodMaxTimeout>90</CwaByodMaxTimeout>
	<RetransmissionLimit>4</RetransmissionLimit>
	<PingMaxTimeout>1</PingMaxTimeout>
	<RetransmissionDelay>60</RetransmissionDelay>
	<StealthMode>0</StealthMode>
	<EnableNonRedirectionFlow>1</EnableNonRedirectionFlow>
	<DisableEDRInternetCheck>0</DisableEDRInternetCheck>
	<ServerNameRules>*</ServerNameRules>
	<OperateOnNonDot1XWireless>1</OperateOnNonDot1XWireless>
	<DhcpRenewDelay>1</DhcpRenewDelay>
	<CallHomeList>ise.echoplex.io</CallHomeList>
	<LogFileSize>5</LogFileSize>
	<PRARetransmissionTime>120</PRARetransmissionTime>
	<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
	<DartCount>3</DartCount>
	<CwaByodProbingInterval>5</CwaByodProbingInterval>
	<PingArp>0</PingArp>
	<DhcpReleaseDelay>4</DhcpReleaseDelay>
	<StealthWithNotification>0</StealthWithNotification>
	<SignatureCheck>0</SignatureCheck>
	<DiscoveryHost>www.google.com</DiscoveryHost>
	<StateSyncProbeInterval>0</StateSyncProbeInterval>
	<EnableRescanButton>1</EnableRescanButton>
	<VlanDetectInterval>0</VlanDetectInterval>
	<DisableUAC>0</DisableUAC>
	<PeriodicProbing>30</PeriodicProbing>
</cfg>

I have collected the DART file information.  It is talking to the ISE server that I setup in the ISEPostureCFG.xml file but for whatever reason it seems to error out.  Dart log file info:


2023/04/18 23:33:33 [Information] aciseagent Function: SMNav::logTransition Thread Id: 0x1B1C File: smnav.cpp Line: 167 Level: info  New State = SW_UNKNOWN, New Event = EV_NO_EVENT  . 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 430 Level: debug  --- Http Response Headers ---. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  HTTP-Version: 1.1. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Status-Code: 200. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Connection: keep-alive. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Date: Wed, 19 Apr 2023 04:32:42 GMT. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Keep-Alive: timeout=20. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Content-Length: 25. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Server: server. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-Frame-Options: SAMEORIGIN. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Strict-Transport-Security: max-age=31536000; includeSubDomains. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-Content-Type-Options: nosniff. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-XSS-Protection: 1; mode=block. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-PDP: ise.echoplex.io. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-POSTURE: /auth/perfigo_validate.jsp. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-POSTURE_PORT: 8905. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-AC_PKG_PORT: 8905. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-GUESTFLOW: false. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-AC_CONFIG_URL: https://ise.echoplex.io:8905/auth/anyconnect?uuid=c674f9c2-073c-429c-b745-3c9cea739e81. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-AC_CONFIG_URI: /auth/anyconnect?uuid=c674f9c2-073c-429c-b745-3c9cea739e81. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-AC_PKG_URL: https://ise.echoplex.io:8905/auth/provisioning/download/e983290e-13de-4740-a75b-11ed663cf009. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-AC_PKG_URI: /auth/provisioning/download/e983290e-13de-4740-a75b-11ed663cf009. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-AC_PKG_VER: 4.10.6090.0. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-STATUS_PATH: /auth/status. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-SessionId: c0a8020aQGyhDwg1HGGXhDS5vAt7DBIfruvrcHGe/z9wYjItozM. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-PostureDomain: posture_domain. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-POSTURE_STATUS: Unknown. 
2023/04/18 23:33:33 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2004 File: hs_httpheader.c Line: 442 Level: debug  --------------------. 
2023/04/18 23:33:33 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x2004 File: target.cpp Line: 464 Level: debug  POST request to URL (https://ise.echoplex.io:8905/auth/ng-discovery), returned status 0 <Operation Success.>, stage 2. 
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug  Failed to retrieve http header X-ISE-PDP-WITH-SESSION. 
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug  Failed to retrieve http header X-ISE-PDPS-IN-DEPLOYMENT. 
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug  Failed to retrieve http header X-ISE-POSTURE-NO-SESSION. 
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug  Failed to retrieve http header X-ISE-PROBE-STATUS. 
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug  Failed to retrieve http header X-ISE-PRA_CONFIG. 
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug  Failed to retrieve http header X-ISE-NG_DISCOVERY_PATH. 
2023/04/18 23:33:33 [Information] aciseagent Function: HttpConnection::getHeader Thread Id: 0x2004 File: httpconnection.cpp Line: 842 Level: debug  Failed to retrieve http header X-ISE-BACKUP_SERVERS. 
2023/04/18 23:33:33 [Information] aciseagent Function: Target::probeRecentConnectedHeadEnd Thread Id: 0x2004 File: target.cpp Line: 556 Level: debug  Posture status for Ng-Discovery target ise.echoplex.io with path /auth/ng-discovery is (Unknown).. 
2023/04/18 23:33:33 [Information] aciseagent Function: Target::Probe Thread Id: 0x2004 File: target.cpp Line: 212 Level: debug  Status of Ng-Discovery target ise.echoplex.io with path /auth/ng-discovery is 1 <Server is found.>. 
2023/04/18 23:33:34 [Information] aciseagent Function: hs_transport_winhttp_get Thread Id: 0x4990 File: hs_transport_winhttp.c Line: 4829 Level: debug  unable to send request: 12002. 
2023/04/18 23:33:34 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0x4990 File: target.cpp Line: 261 Level: debug  GET request to URL (http://enroll.cisco.com/auth/discovery), returned status -1 <Operation Failed.>. 
2023/04/18 23:33:34 [Information] aciseagent Function: Target::Probe Thread Id: 0x4990 File: target.cpp Line: 212 Level: debug  Status of Redirection target enroll.cisco.com is 6 <Not Reachable.>.

At this point I am not sure where I am supposed to look at next to resolve this issue.   Any hints would be great.

 

0 Helpful
3 Replies 3

Nancy Saini
Cisco Employee
Cisco Employee

‎04-19-2023 10:41 AM

What is the behavior seen on AnyConnect?

I see the HTTPs probe to ISE is passing 

debug  POST request to URL (https://ise.echoplex.io:8905/auth/ng-discovery), returned status 0 <Operation Success.>

 Cross check below pointers from client while it is connected:

  • nslookup to ise.echoplex.io is giving the right IP address.
  • telnet to ISE IP on TCP 8905

I would suggest opening a TAC case.

0 Helpful

kylerossd
Level 4
Level 4
In response to Nancy Saini

‎04-19-2023 11:00 AM

It resolves correctly.  I actually removed AnyConnect and re-installed it.  Added in the ISEPostureCFG again.  Restarted the ISP Posture service and boom, it connected.  However, it failed the downloader.  So I removed it again, changed the compliance module to a version below it.  After this it stopped connecting.  So frustrating.

0 Helpful

Nancy Saini
Cisco Employee
Cisco Employee
In response to kylerossd

‎04-20-2023 10:09 AM

What is the version of ISE, AnyConnect and Compliance module in your setup?

0 Helpful
Customers Also Viewed These Support Documents