This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

END_SYSTEM_UNREACHABLE error in NAC

END_SYSTEM_UNREACHABLE error in NAC

Juan_Battaglino
New Contributor

‎12-23-2015 12:32 PM

Hi! I'm doing some labs with the Netsight and Nac appliances. The problem comes when I try to deploy an agent-less informational assessment managed by a profile which maps to a "Assessing" vlan while assessing, a "Quarantine" vlan in order to put the end-system in quarantine and an internal vlan for the accept policy.
Please, correct me if I'm wrong, but the way I think it should work is that while the end-system is being scanned, this end-system is assigned to the Assessing vlan and the assessment server should reach him just to start the scoring tests. But, in order to do that, the end-system should receive a new IP (dhcp needed?) while it's assigned to the Assessing vlan and it should be able to reach the assessment server by its gateway. So the question is, should I need to enable the ipforwarding command between all vlans and how do I receive a new IP for the end-systems while assigned to the Assessing vlan? If I enable the ipforwarding option, the quarantine could be able to reach anywhere but it should be limited by the upm profile assigned to it right? These things come up to my mind because I'm getting the END_SYSTEM_UNREACHABLE error.

Thanks in advance
0 Kudos
9 REPLIES 9

Ronald_Dvorak
Honored Contributor

‎01-21-2016 03:55 PM

In the end-system tab righ click on the client and select "configuration evaluation tool" and then on "run evaluation" to see why the client is passing the accept rule AND failed the quarantine rule.

This will give you an idea how to change the rule set to get the correct behavior.

-Ron
0 Kudos

Juan_Battaglino
New Contributor

‎01-21-2016 03:48 PM

Even though it shows "Assessment" Scan Complete Assessment agent is not running or has not connected to server" and "Agent Not Connected To Server", I get the accept policy (maybe because it's authenticated via MAC?).. it should put me under the quarantine policy to reach out the NAC portal page.

0 Kudos

Matthew_Hum1
Extreme Employee

‎01-21-2016 03:12 PM

Does the end system state show quarantine on the end user?

if you tcpdump the NAC gateway's interface, do you see the http requests coming from the client? if not, then you will need to revisit your PBR rules. I'm not sure what you are using for routers, but check to ensure that those rules are working.
0 Kudos

Juan_Battaglino
New Contributor

‎01-21-2016 01:49 PM

Yes, the error shows in the End Systems Table. I have a policy called Assessment, which has an catch-all condition. The assessment policy and the quarantine policy puts the end user into a "Not Authorized" vlan, which permits the primary ports you've talked about, and the end users get placed right into that vlan. I'm thinking that maybe it's a PBR issue.
0 Kudos
GTM-P2G8KFN