Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


ASA VPN SGT propagation of SGT/IP mapping to all corporate firewalls

When a user logs in through SSLVPN (Anyconnect) on an ASA and receives an SGT from ISE, is it possible to propagate the SGT/IP mapping to all other firewalls in the corporate network using SXP? I assume the SSLVPN ASA would be the SXP speaker and all other ASA firewalls would be listeners.

Is there any reason that you wouldn't want to do this or is it something that is commonly done? Any scaling issues (limit on SXP peers...)?

The goal is to assign an SGT to VPN users and enforce access control on firewalls throughout the corporate network based SGT/IP mapping propagated from the VPN firewall. I would prefer not to enable TrustSec on any other device in the network. I was originally going to do identity-based firewall with VPN users, but as far as I can tell it lacks the ability to enforce access by group in a centralized manner.

Thank you,


Everyone's tags (1)

Hi, I have very similar

Hi, I have very similar question also.


Let's say, we have next topology:


RA users authenticated via RADIUS by ISE, SGT tags are assigned as part of authorization.


I need ASA acts as SXP speaker in order to deliver RA user's SGT tags to ISR_G2, but this doesn't happen :(. I see sgt tags in "debug radius" on ASA, but these tags don't appear in local IP<->SGT binding database, therefore no SXP updates are triggered.


In accordance to trustsec compatibility matrix this functionality is supported (

ASA 5520, release 9.1.5