We have 2 VPN sites(US and EMEA) both ASA 5515X...each site has a WSUS server (US is master, EMEA is downstream).
VIA GPO, we have EMEA workstations set to get updates from the EMEA WSUS server. We have the VPN profiles set to rollover if one isn't available.
(so if you try to connect to US, and it isn't responding it automatically tries the EMEA connection, and vice versa)
We have tested the scenarios where the EMEA VPN itself is down, but the EMEA employees are still able to connect via the US, because the INTERNAL network (and its tunnel to EMEA) is still active.
The problem that arose this weekend was, that ALL of the EMEA site was offline, including the WSUS server. So even if EMEA employees connected to the VPN, when the NAC agent checked the WSUS update status, it would time out looking for the EMEA WSUS server.
So, as a workaround I had to tell ISE not to perform WSUS checking for the EMEA group.
However, this is a manual process, and not acceptable in a 24/7 environment.
Does anyone have suggestions on how to correct this single point of failure? Can you identify a secondary WSUS server on the client so that it tries to talk to both at any given time? Is there some setting in ISE?
Honestly, this ISE implementation has been a HUGE thorn in my side....and it seems just when I think we are able to put it behind us...some other little detail comes out of the woodwork like this. I just want this to work, and make things better and smoother...not keep having little issues and it reflecting bad on myself and co-workers.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...