CSA MC Cluster : is it possible

Unanswered Question
Dec 26th, 2008
User Badges:

How to do a cluster with CSA MC.

I have 2 server, and want that is the first CSA fall, then the second take the hand and all All agents register to the second CSAMC till the first comme back.


Is there any issue or any link about documentation?

Best Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
pmccubbin Mon, 12/29/2008 - 06:59
User Badges:
  • Silver, 250 points or more

Good question and a possible feature request for Cisco. I see what you are asking for in an automatic failover of the Management Center.


Unfortunately, a cluster cannot be done. The issue, from my understanding, involves the Security Certificate. Typically a server-side certificate is generated for the SSL connection between Agents and the Management Center (MC). The communications between the Agents and MC consists of things like policy updates, agent polling, and alert message communications. The files are signed with the CSA MC certificate to prove their authenticity so that nobody can intercept the communications and alter its content.


Since the agents can function without an active MC it has always been the best practice to back up configurations and policies in the event of a MC failure. Then all that needs to be done is a restore of the configuration and license to this new MC.


Hope this helps.


Best,

Paul




jan.nielsen Fri, 01/23/2009 - 15:09
User Badges:
  • Gold, 750 points or more

Well, there is a difference between what you can do, and what is supported. You CAN create a hot standby, by using ex. Veritas storage management client, and making it control the csamc services on two servers, you will need to use a remote db, and make some dependencies so that the two servers are never active at the same time, registrations to the server are kept in the db, so there is no change to the actual server. Only thing is if you create a new agent kit, it will be on the server that was active, so you will need to define some shared storage between the two servers for the agent kit directory on the server. This is not supported, so you will probably get problems with support if you attempt this and it fails for some reason.

Hi,

Your suggestion sounds similar to the HA solution for CSM, i.e., use Veritas storage foundation HA/DR. Have you implemented this for CSA MC?


Cisco have added a new white paper Management Center for Cisco Security Agents High Availability White Paper .Its dated the 2nd of Feb 2009, has anyone had the time to test yet? It reads like a single site HA solution but I can't see why it wouldn't scale to an HA/DR implementation across multiple data centres.


jan.nielsen Wed, 02/11/2009 - 08:37
User Badges:
  • Gold, 750 points or more

Yes, it is very similar to the supported CSM HA solution with veritas storage mng agent. I have tested it with a friend who works for symantec, and used to be a veritas technician, it works very well as i recall. I have not implemented it in production environments yet. I will have to check out that paper, sounds interesting

Actions

This Discussion