Hi Gents

i've setup campus with ISE-driven SGTs (not SXP). Canmus's NADs & FW r configured for TrustSec on ISE. They get authorized & pushed back with SGT-map configured  only for this campus on ISE. Something like belowis visible on the switches with "sho cts role-based sgt-map all":

...

10.225.10.0/26 7 CLI
...
10.225.10.128/26 5 CLI

...

FW (ASA) which is L3-GW for most of subnets also has table of SGTs from ISE (but w/o IP mapping which is strange but is not relevant to my main problem).

The problem: with capture on FW-facing portchannel i intercepted traffic of interest & noticed interesting thing:

In most of cases i can see SGT tag added to the source packet as expected (i believe it's done by access switch of endpoint ). F.e. i can see packets sourced from 10.225.10.132 having SGT==5. BUT... in some packets i can see SGT==0 for the similar packet (meaning that src&dst IP&ports r the same)... 

SGT assignment is not enforced on the ISE in AuthZ profiles yet. But switches seem to be assigning SGT already based on the tables they have.

All interconnects between network HW r configured with "cts manual" to carry frames with SGT. 

Anybody can explain me this behavior pls?

UPD1: just checked other sources & found the there some subnets getting SGT==0 assigned all the time which is actually expected from my pov.

I'm curious...

UPD2: after some investigations i've found that my core C9500 does following:

if it receives frame w/o metadata (because of interconnect to access switch is not configured for cts) it adds to egress frame metadata field with SGT assigned according to SGT-map it receives from ISE.

any clues?