配置状况状态同步并对其进行故障排除

简介

本文档介绍在思科身份服务引擎(ISE)3.1版本中引入的状态同步的配置和使用。

先决条件

要求

Cisco 建议您了解以下主题：

• 思科ISE上的终端安全评估流程
• 在Cisco ISE上配置终端安全评估组件

假设您有状态配置来取代任何类型。

为了更好地了解下文介绍的概念，建议完成以下步骤：

• 思科身份服务引擎管理员指南，版本3.1
• 比较早期的ISE版本与ISE 2.2中的ISE终端安全评估流程
• ISE会话管理和状态

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 思科ISE版本3.1
• 思科安全客户端5.0.00556

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您的网络处于活动状态，请确保您了解所有命令的潜在影响。

背景信息

ISE终端安全评估流程通常不允许从ISE在客户端更新终端安全评估状态。思科安全客户端状态模块用于评估终端的安全状态，并将其保持到网络更改、定期重新评估或其他客户端触发为止。如果ISE上的终端安全评估状态因会话终止或其他原因而更改，安全客户端安全评估模块可能不知道该更改，因此终端将处于安全评估未知状态，网络访问受限，直到发生其中一个客户端触发。

本文档重点介绍一项新功能 — 终端安全评估状态同步，该功能旨在解决此类问题，并允许ISE向安全客户端终端安全评估模块提供有关终端当前终端安全评估状态的反馈。

配置

默认情况下，当终端安全评估状态同步启用时，会在每个ISE PSN节点上引入终端安全评估状态探测端口 — TCP 8449。如果终端状态为未知(Unknown)或待处理(Pending)，则从终端应该可访问，如果终端状态为兼容(Compliant)，则无法访问。

网络图

配置

状态同步功能配置包括两部分：

1. AnyConnect终端安全评估配置文件配置

1.1在Cisco ISE GUI中，导航到Policy > Policy Elements > Results > Client Provisioning > Resources。 

1.2选择您已使用的AnyConnect终端安全评估配置文件或新建一个配置文件。

1.3在Agent Behavior区域中，将Posture State Synchronization Interval配置为1到300秒之间的任意值，0 — 禁用状态同步

1.4您可以配置终端安全评估探测备份列表 — 安全客户端使用此列表检查选定PSN上的终端安全评估状态。如果不选择任何PSN，则连接的PSN和任意两个备份服务器将用作状态同步的备份。 

2.配置可下载ACL(dACL)，在客户端状态为合规或不合规时阻止对思科ISE上的状态同步端口的访问。您需要为每个PSN的访问控制拒绝条目添加安全评估状态同步端口，该PSN位于用于合规终端的ACL顶部，以限制对安全评估状态同步端口的访问（如果终端状态已知），例如：

deny tcp any host PSN1-IP-ADDRESS eq 8449
deny tcp any host PSN2-IP-ADDRESS eq 8449
permit ip any any

permit ip any any不是必需的，您可以根据需要使用任何规则集替换它。

注意：如果未在dACL中配置deny条目，则在Cisco ISE控制面板上触发状态配置检测警报，并且在终端上禁用状态同步，直到重新启动Cisco Secure Client。

状态同步端口（双向端口）可在客户端调配门户配置页面上更改。导航到管理>设备门户管理>客户端调配>选择所需的门户>门户行为和流量设置并打开门户设置。无法更改默认客户端调配门户的状态同步端口。

验证

从DART套件

通过查看DART捆绑包中的思科安全客户端状态模块日志(AnyConnect_ISEPosture.txt)，可从客户端验证状态同步：

1.状态评估已完成，状态为合规。

2022/11/09 12:22:47 [Information] aciseagent Function: Authenticator::sendUIStatus Thread Id: 0xC60 File: authenticator.cpp Line: 1905 Level: debug  MSG_SU_STEP_STATUS, {Status:4,Compliant:2,RemStatus:2,Phase:0,StepNumber:-1,Progress:-1,Attention:1,Cancellable:0,Restartable:0,ErrorMessage:0,Description1:"Compliant.",Description2:"Network access allowed."}. 

2.状态同步探测已启动。

2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 143 Level: info  Session Sync Periodic Probing start. 
2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 335 Level: info  Session sync periodic probing thread start. 

3.在终端安全评估状态同步端口(8449)上发起到ISE PSN的HTTPS连接。

2022/11/09 12:22:47 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 357 Level: debug  Sending http session sync periodic probe to [ISE-PSN-FQDN]. 
2022/11/09 12:22:47 [Information] aciseagent Function: HttpConnection::MakeRequest Thread Id: 0x296C File: httpconnection.cpp Line: 330 Level: debug  Url=https://ISE-PSN-FQDN:8449/auth/StateSynch. 

4.状况状态同步探测超时。

2022/11/09 12:22:54 [Information] aciseagent Function: hs_transport_winhttp_post Thread Id: 0x296C File: hs_transport_winhttp.c Line: 5815 Level: debug  unable to send request: 12002. 
2022/11/09 12:22:54 [Information] aciseagent Function: hs_transport_post Thread Id: 0x296C File: hs_transport.c Line: 1425 Level: trace  posting data failed. 
2022/11/09 12:22:54 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 394 Level: debug  HTTP Probe failed/timed-out, Retrying... 

从客户端上的数据包捕获

在客户端上捕获的数据包显示在没有来自ISE PSN的SYN-ACK响应的情况下，在终端安全评估状态同步端口(8449)上向ISE PSN节点发送的SYN数据包：

从ISE

无法从ISE端验证正确的终端安全评估状态同步配置，因为终端安全评估状态同步端口(8449)上的连接应该失败。

状态更改时状态重启

1)当思科安全客户端处于“兼容”状态时，已从ISE收到状态为“未知”的会话状态信息。

2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 430 Level: debug  --- Http Response Headers ---. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  HTTP-Version: 1.1. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Status-Code: 200. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Connection: keep-alive. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Date: Wed, 09 Nov 2022 11:26:24 GMT. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Keep-Alive: timeout=20. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Content-Length: 0. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Server: server. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-Frame-Options: SAMEORIGIN. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Strict-Transport-Security: max-age=31536000; includeSubDomains. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-Content-Type-Options: nosniff. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-XSS-Protection: 1; mode=block. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 437 Level: debug  X-ISE-POSTURE_STATUS: Unknown. 
2022/11/09 12:26:24 [Information] aciseagent Function: dump_http_headers Thread Id: 0x296C File: hs_httpheader.c Line: 442 Level: debug  --------------------. 

2)思科安全客户端确认安全评估状态更改并重新启动安全评估发现：

2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 379 Level: debug  Different Session state on ISE = [ ISE-PSN-FQDN]. Restarting discovery. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 387 Level: debug  MSG_NS_SWIFT_RESTART_SEARCH, {manualRescan:0,stopPeriodicProbe:1}. 
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1431 Level: debug  Restarting Discovery. 

3)思科安全客户端停止状态同步，直到执行状态评估：

2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::processMessage Thread Id: 0xC60 File: swifthttprunner.cpp Line: 383 Level: debug  Periodic Probes requested to be stopped. 
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1436 Level: debug  MSG_PN_STOP_PERIODIC_PROBE sent. 
2022/11/09 12:26:24 [Information] aciseagent Function: SwiftHttpRunner::restartDiscovery Thread Id: 0xC60 File: swifthttprunner.cpp Line: 1437 Level: debug  MSG_PN_STOP_PERIODIC_PROBE, . 
2022/11/09 12:26:24 [Information] aciseagent Function: hs_transport_free Thread Id: 0xC60 File: hs_transport.c Line: 606 Level: trace  de-initialization done. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 210 Level: debug  MSG_PN_STOP_PERIODIC_PROBE received.. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 224 Level: debug  Periodic Probing stopped. 
2022/11/09 12:26:24 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x296C File: periodic_probe.cpp Line: 411 Level: info  Session sync periodic probing thread end.

故障排除

状况状态同步未启动

如果AnyConnect_ISEPosture.txt日志文件中没有指示状态同步启动，并且客户端不会尝试与状态同步端口(8449)上的ISE PSN节点建立连接，请从DART捆绑包或直接在客户端计算机上检查状态配置文件ISEPostureCFG.xml:“%ProgramData%\Cisco\Cisco Secure Client\ISE Posture\”（对于Windows PC）。

负责状态同步的参数是“StateSyncProbeInterval”，它应设置为大于0的值：

缺少“StateSyncProbeInterval”或值为“0”意味着状态同步被禁用。

如果在ISE上的终端安全评估配置文件中设置了Posture State Synchronization Interval，但它未反映在客户端的配置文件中，则需要调查终端安全评估调配。

安全评估状态同步失败，在ISE控制面板上发出警报

如果ISE上的安全评估状态同步失败并发出警报，这意味着思科安全客户端能够在安全评估状态同步端口(8449)上到达ISE，并请求会话的状态为“兼容”。

• ISE GUI中的警报：

• 从数据包捕获进行验证

在状态同步端口(8449)上建立TCP连接：

• 从思科安全客户端状态模块日志验证

从DART捆绑包检查AnyConnect_ISEPosture.txt:

1)在终端安全评估状态同步端口(8449)上发起到ISE PSN的HTTPS连接。

2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 357 Level: debug  Sending http session sync periodic probe to [ISE-PSN-FQDN]. 

2)已从ISE收到状态状态为“兼容”的会话状态信息。

2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 430 Level: debug  --- Http Response Headers ---. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  HTTP-Version: 1.1. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Status-Code: 200. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Connection: keep-alive. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Date: Wed, 09 Nov 2022 11:26:34 GMT. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Keep-Alive: timeout=20. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Content-Length: 0. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Server: server. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-Frame-Options: SAMEORIGIN. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Strict-Transport-Security: max-age=31536000; includeSubDomains. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-Content-Type-Options: nosniff. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.cisco.com/ data:;. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-XSS-Protection: 1; mode=block. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Platform, Sec-CH-UA. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 437 Level: debug  X-ISE-POSTURE_STATUS: Compliant. 
2022/11/09 12:26:34 [Information] aciseagent Function: dump_http_headers Thread Id: 0x2750 File: hs_httpheader.c Line: 442 Level: debug  --------------------. 

3)Posture State Synchronization由于检测到不正确的配置而停止：

2022/11/09 12:26:34 [Error] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 370 Level: error  Incorrect configuration detected by ISE = [ISE-PSN-FQDN], compliant status is not expected. 
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::sessionSyncProbe Thread Id: 0x2750 File: periodic_probe.cpp Line: 371 Level: debug  MSG_PN_STOP_PERIODIC_PROBE, . 
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 210 Level: debug  MSG_PN_STOP_PERIODIC_PROBE received.. 
2022/11/09 12:26:34 [Information] aciseagent Function: PeriodicProbe::ProcessMessage Thread Id: 0xC60 File: periodic_probe.cpp Line: 224 Level: debug  Periodic Probing stopped. 

无法通过重新启动状况评估或网络更改从思科安全客户端GUI重新启动状况状态同步。相反，需要重新启动Cisco安全客户端，才能再次运行状态同步。

验证为状态“兼容”授权配置文件配置的dACL

1.验证为安全评估“兼容”授权配置文件配置了正确的dACL:

2.验证详细身份验证报告dACL作为“兼容”端点的身份验证结果是否正确发送。

3.验证dACL是否正确应用于网络接入设备：

avakhrus_3560C#sh authe sess int fa0/12 det
            Interface:  FastEthernet0/12
          MAC Address:  0050.56a8.be02
         IPv6 Address:  Unknown
         IPv4 Address:  192.168.255.193
            User-Name:  TRAINING\bob
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  172800s (local), Remaining: 92111s
       Session Uptime:  1515s
    Common Session ID:  C0A8FF0C00000012679EAF14
      Acct Session ID:  0x00000012
               Handle:  0x5D000005
       Current Policy:  POLICY_Fa0/12

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
              ACS ACL:  xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac

Method status list:
       Method           State

       mab              Stopped
       dot1x            Authc Success

avakhrus_3560C#sh access-lists | s  xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac
Extended IP access list xACSACLx-IP-avakhrus_posture_probe_ACL-636b75ac (per-user)
    1 deny tcp any host PSN1-IP-ADDRESS eq 8449
    2 deny tcp any host PSN2-IP-ADDRESS eq 8449
    3 permit ip any any

已知问题

安全评估状态同步失败，ISE上出现警报

即使在网络访问设备上应用正确的dACL到客户端终端，ISE上的状态同步也可能失败，并发出警报。如果Posture State Synchronization Probe的执行速度比dACL的应用速度更快，或者如果应用dACL时已经进行Posture State Synchronization Probe，则会发生这种情况。在Cisco Bug ID CSCwd中调查了此问题58316 .作为解决方法，您需要在Anyconnect终端安全评估配置文件（ISE终端安全评估代理配置文件设置）中将“网络过渡延迟”设置为10秒。