Cisco Support Community
Community Member

ISE/NAC posturing - WSUS not available?

We ran into this scenario this weekend.

We have 2 VPN sites(US and EMEA) both ASA 5515X...each site has a WSUS server (US is master, EMEA is downstream).

VIA GPO, we have EMEA workstations set to get updates from the EMEA WSUS server. We have the VPN profiles set to rollover if one isn't available.

(so if you try to connect to US, and it isn't responding it automatically tries the EMEA connection, and vice versa)

We have tested the scenarios where the EMEA VPN itself is down, but the EMEA employees are still able to connect via the US, because the INTERNAL network (and its tunnel to EMEA) is still active.

The problem that arose this weekend was, that ALL of the EMEA site was offline, including the WSUS server. So even if EMEA employees connected to the VPN, when the NAC agent checked the WSUS update status, it would time out looking for the EMEA WSUS server.

So, as a workaround I had to tell ISE not to perform WSUS checking for the EMEA group.

However, this is a manual process, and not acceptable in a 24/7 environment.

Does anyone have suggestions on how to correct this single point of failure? Can you identify a secondary WSUS server on the client so that it tries to talk to both at any given time? Is there some setting in ISE?

Honestly, this ISE implementation has been a HUGE thorn in my side....and it seems just when I think we are able to put it behind us...some other little detail comes out of the woodwork like this. I just want this to work, and make things better and smoother...not keep having little issues and it reflecting bad on myself and co-workers.


Everyone's tags (4)
CreatePlease to create content