Did you get the chance to see the problem on a PC while it's occurring? Does the CCA agent keep refreshing its IP? Check to see if the PC has the IP from the user or auth vlan. If CCA Agent keeps on re-authenticating and goes in loop. You might want to block UDP 8905 and 8906 from the user vlan.
Please give us more info in order to determine what is wrong. Find out what exactly happens on the user level is critical.
If the PC holds the user vlan IP address but gets the "destination host unreachable" ping error, the CAM server might have put the port for the PC back to auth vlan due to some reason.
In this case, you can do a dhcp release and renew on the PC. Or simply restart the PC. It should get an IP from the auth vlan and go through the CCA authentication and posture asessment. Then you will be good.
One thing you can check to see why the port for the PC went back to auth vlan.
Go to Device Management -> Clean Access -> Certified Devices -> Timer
If you have a scheduled cleanup rule to clear your certified devices. Your PCs might be put back to auth vlan. Just edit the rule, and check the box for "Keep Online Users".
If the above is not the cause, find out if there is any unexpected reboot on your access switch assuming your PC is connected to the port behind an IP phone. Because your PC didn't lose network connection, but the access layer switch detects a new MAC notification and triggers to switch to auth vlan.
Go to CAM, check Monitoring -> Event Logs -> Log Viewer
Add filter for text and set "contains" and put the IP address or the username of one of the PCs that has problem. See what kind of events have been happening to the PC. This should give you some ideas of what's going on.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :