Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
2
Replies

ISE 2.1 RTC with FP6.1 - No Unquarantine Action

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎02-01-2017 05:30 AM

Testing RTC with FP6.1 and ISE 2.1.  I can successfully quarantine a host using FP6.1 Correlation.  I see the entry in the ISE livelog and the CoA / Policy Change to the local switch.  When I try to unquarantine the device through the FP Correlation method, I see the Correlation event in the Firesigth console but there is no response/indication from ISE. I do not see the CoA and there is no entry in the Livelog.  I can manually unquarantine the device by using the MAC address in the ANC menu. 

I do not have a specific unquarantine rule in the policy set.  Just the quarantine rule as an exception.  I do have an ANC policy that will provide a portBounce when an Unquarantine event is received.  I followed the ISE pxGrid manual posted to the community and it mentions creating the Firepower Unquarantine correlation policy but does not mention about configuring any unquarantine policies in ISE.  So I only have the Quarantine policy configured in ISE.

I looked at the pxGrid logs and did not see any recognizable errors related to the unquarantine event.

Any suggestions on what I can look at next?

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎02-03-2017 11:06 AM

Hi,

You should have an unquarantine correlation policy and unquarantine correlation rule to in FMC 6.1 to unquarantine the endpoint.  If this is not working check the unquarantine condition rule and also check the unquarantine remediation rule is set to source ip address.  We can setup a webex, to diagnose further.

Let me  know what days and times work for you.

Thanks,

John

jeppich@cisco.com

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-02-2017 09:53 AM

Hi,

I have reached out to the SME for an answer.

Thanks

Krishnan

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎02-03-2017 11:06 AM

Hi,

You should have an unquarantine correlation policy and unquarantine correlation rule to in FMC 6.1 to unquarantine the endpoint.  If this is not working check the unquarantine condition rule and also check the unquarantine remediation rule is set to source ip address.  We can setup a webex, to diagnose further.

Let me  know what days and times work for you.

Thanks,

John

jeppich@cisco.com

0 Helpful
Customers Also Viewed These Support Documents