While testing different Posture scenarios with the Cisco Anyconnect VPN client (version 4.10.05085) I came across an interesting issue. I was using the same PC and was switching test accounts back and forth. I needed to enforce a Posture policy on User1 while letting User2 login without deploying the Anyconnect Posture module. Once I successfully tested User1, I was testing User2 and uninstalled just Anyconnect Posture module to save time and confirm it would not be redeployed (posture module deployment was controlled through the Group Policy assignment).
Next, I decided to test User1 again. After the initial connection Anyconnect Posture module was redeployed but I received “Service is unavailable” error.
This was because the service for some unknown reason did not start. I resolved it by starting the service manually. Next, I disconnected/reconnected and this time I got “No policy server
Since it was all working prior, I started looking. This error usually indicates an issue with ISEPostureCFG.xml file and Call Home settings. I’ve checked for the file and did not find the file present. Even so, the Anyconnect Posture module was deployed and running, it would not pull the ISEPostureCFG.xml from ISE.
It turned out ISEPostureCFG.xml is only downloaded on the initial Anyconnect Posture module install and since the service would not start automatically profile never got deployed.
I had to completely remove Anyconnect client and reinstall it. Only then Anyconnect Posture module service got started automatically and pulled ISEPostureCFG.xml profile from the ISE node then continuing to Compliance module installation.