cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
8511
Views
5
Helpful
5
Replies

ISE Anyconnect Posture Scan gets stuck at 10% on windows Endpoints

sadashivpalde
Level 1
Level 1

We are facing this issue on multiple windows endpoints. If we login with domain user, the posture scan gets stuck at 10%. Posture conditions are in Audit mode .

But, when we login with local user or admin user on same machine, we are able to complete posture scan and get access.

We are using ISE 2.1 Patch 3,  Anyconnect 4.3.05017 & Anyconnect Windows Compliance Module 3.6.11017.2

5 Replies 5

Did you ever get this resolved? I have an ISE 2.2 install where the posture module gets stuck at 30% when the machine is not compliant & scanning. AC v4.4.x - I'll have to get the compliance module version.

This is expected. The Posture will stay at 30% if the compliance check fails- waiting for the user to remediate. It will then timeout after the remediation timeout period.

Since you are using the ISE 2.2 version, you should look at using Posture in stealth mode with the latest compliance module and Anyconnect 4.4 version. This provides better user experience for ISE Posture compliance failures. This is explained here:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.html#reference_5328396A402F4ACF8C7F0F78C7902825

Has this been resolved? I am experiencing similar issue - our configuration is with manual remediation. Should it be the anyconnect will have pop-up window for action required and not stuck at system scan?

If the endpoint is not compliant then the user will get a popup with the message which is configured as part of results.

Mike.Cifelli
VIP Alumni
VIP Alumni

I also had this issue recently.  I worked with TAC quite a bit.  Here are some steps we took that have seemed to fix/quiet the 10% hang issue:

-Upgrade compliance module on clients to latest version

-Upgrade AnyConnect to newer version including all modules (specifically for this case the posture/compliance modules of course)

-Determine if any AV/security software is causing the hung module; test accordingly

-Review posture checks and test one by one to determine if there is a check that is causing the delay

While testing we actually figured out that reseating the cable if on wired or toggling adapter for wireless seemed to speed up the 10% hang issue.  Some of our admins even went as far as modifying user profiles on respective machines which also alleviated the issue.

Lastly, for anyone facing this issue I strongly suggest working with TAC as they have an internal tool you can get to aide in gathering more intel from troubled clients. HTH!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: