Thanks MC for reverting.

No, the user PC is configured with our internal DNS servers.

One of my user need my help in getting access to URL hosted in AWS from this PC and i provided the access in Cisco ASA (FQDN access)...but he is facing Intermittent connectivity issue and after some troubleshooting we came to the conclusion that the URL is getting resolved to multiple IP's (TTL value is 30 Sec) and at the same moment ASA is unable to resolve the current IP's and hence connection is still pointed towards old IP.

I believe this is some thing related to ASA DNS cache time value.

Did anyone here faced the same issue??

I just ran into an issue with failed URL redirect on a 3850/9300 switch running  16.3 and 16.6.1. Apparently there is a bug for this (see below). The symptom is very similar to what you described which is switch gets redirect URL from ISE but endpoint is not getting there even though it can get there by copy/paste URL to browser.

What switch model/version are you using? If you are running one of the version mentioned above, try to upgrade to 16.6.2

You are not allowed to view links. Register or Login

Thanks MC

almost I did it that steps but I didn't upgrade IOS

What do you mean by "register an account from another PC "? When the endpoint hits a MAB auth policy rule, the following1 should happen
   1. ISE pushes DACL to switch that only allows traffic to ISE (so guest can see login portal). This overrides the port default ACL
   2. ISE pushes redirect URL to switch
   3. ISE tells switch to enforce redirect ACL that is configured on switch which should only permit www/https
   Seems like you have most if not all of these in place.
   You mentioned guest got an IP. Guest should only have access to ISE so you shouldn't be able to ping cisco.com.  If you manually copy redirect URL shown on switch to guest browser, do you see login page?