Problems with NAC CAS High availability : NATIVE_VLAN_MISMATCH:

Unanswered Question
Mar 14th, 2009
User Badges:


We were trying to configure a pair of Clean Access Servers in High availability mode and are having some problems.

The primary server was working properly in an In-band Virtual gateway mode, we followed the instructions to add the failover settings to it and used a new service ip (same for trusted and untrusted interface for virtual gateway mode). After rebooting we had contact with the server for a few minutes and then lost it completely, the server is still on but we cannot reach it through the network.

The switch where it is connected is giving the following error:

CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet7/0/7 (999), with SW_VOZ_DATOS_P33 FastEthernet8/0/3 (998)

Per configuration guide we do have a different native vlan on the ports where the trusted and untrusted interface from the CAS are connected to.

Only the primary CAS is connected at the time, but I understand we should be able to have connectivity with it.

Is there something else needed to configure the CAS in virtual gateway mode and high availability??

Thanks and regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.3 (3 ratings)
Daniel Laden Sat, 03/14/2009 - 12:59
User Badges:
  • Cisco Employee,

To configure HA, you just need to configure the failover pairs to be ha-primary and ha-secondary, confirm the two boxes can ping the names used in the ha configuration, and the certificate and private key is the same on both boxes (export from one, import into the other). If the NAC server is also a dhcp server, you will need to enable dhcp synchronization. The NAC Server license will need to be failover license. Review your NAC Server license file for 'CCA-OB-SERVER-FO'.

Do you have any type of port security/spanning tree security running. Are the switch ports up/up, are the NAC Server MAC addreses associated with the correct port, can you ping the NAC Server from the L3 router/switch interface, does the L3 router/switch have the IP to MAC association.

-Dan Laden

Daniela Herrera Sat, 03/14/2009 - 16:17
User Badges:

Hi, thanks!

The switch ports are up/up, there's no port-security enabled on those ports. I cannot ping the CAS from the switch where it is connected to. The SSL certificate points to the service ip address, both CAS are sharing the certificate.

We have only configured the primary one so far, and like I said it came up after the reboot and then we lost connectivity to it. The switch is complaining about the native vlan mismatch. The CAS is up and I can access it through console, but I cannot ping anything on the network.

CAS is not a DHCP server.

All the MAC addresses were set correctly.

We do have a failover license for the CAS, linked with the Managers mac address (as specified on the requirements).. However I can't find anywhere in the CAS configuration where I can upload it again or check it.

Anything else I should check???

Thanks and regards,

Daniel Laden Mon, 03/16/2009 - 09:09
User Badges:
  • Cisco Employee,

All the license files are loaded into the NAC Manager.

On the NAC Server, run 'service perfigo config'. Work through the options and take care not to change anything.

Pay attention to these questions:

[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.

Would you like to enable it? (y/n)? [n]

[Management Vlan Tagging] for egress packets of eth0 is disabled.

Would you like to enable it? (y/n)? [n]

[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.

Would you like to enable it? (y/n)? [n]

[Management Vlan Tagging] for egress packets of eth1 is disabled.

Would you like to enable it? (y/n)? [n]

Note if they are enabled or disabled. If enabled, select 'y' to enable. Note the vlan number.

If the NAC Server is configured to use 'Management VLAN Tagging', make sure this is not the native vlan on the switch port and an allowed vlan on the trunk.

-Dan Laden

Daniela Herrera Mon, 03/16/2009 - 13:14
User Badges:

Hello, Thanks again.

vlan tagging is enabled for packets from eth1 to eth0. The management vlan is allowed on the trunk port where the trusted interface is connected to, and it's different from the native vlan.

What's the correct configuration in this situation? Should vlan tagging be enabled or disabled? on eth0, eth1 or both?

I'll have access tomorrow again, I guess I'l try disabling that option, what do you suggest?

thanks again and regards,

Daniel Laden Mon, 03/16/2009 - 15:29
User Badges:
  • Cisco Employee,

Management Vlan Tagging is only needed on the trusted interface.

Vlan Id Passthrough is typically not needed.

-Dan Laden

Daniela Herrera Wed, 03/18/2009 - 10:21
User Badges:

Hi! thanks again.

I had a chance to check the config again.

The management vlan is set on the trusted interface only. There's no vlan id passthrough.

The problem is still there, is there anything else I should check??

We have different native vlans on the interface per the configuration guide to avoid STP loops on the network. I also read that the same native vlan can be configured if vlan id passthrough is used but I haven't found any more information on how to configure it. Since this is in production I can't risk affecting the network while playing with those values .. Could you please guide me a little on how this configuration can be accomplished? or what else I can check to troubleshoot why my HA config is not working.

Thanks again and regards,

Daniela Herrera Wed, 03/18/2009 - 14:54
User Badges:

To correct my previous message: i meant VLAN MAPPING instead of vlan id passthrough.

Any ideas will be greatly appreciated.

Thanks and regards,

shaymaaabdelghafar Mon, 03/30/2009 - 10:20
User Badges:

Please i want to confirm and make sure if it is mandatory to order two NAC Appliances One as Server and One as Manager.

or we can have only one NAC appliance to manage 100 users only?

please confirm me.

Daniela Herrera Mon, 03/30/2009 - 10:24
User Badges:

Yes, you need both.

The NAC Server is the one that receives the connection requests from the clients.

The NAC Manager controls the servers and is where all the policies are configured.


About the HA issue, we solved it with the VLAN mapping, we had to enable the eth2 to send UDP hellos between the two CAS's (we had to create a file on the CAS to do that).

IT's doing the failover now but I'm seeing two things:

* Part of the configuration was lost (active directory user to begin), I'm guessing this is not normal, is there any known issue on this?

* Clients are losing connectivity for around two minutes when the failover occurs, is this the normal behaviour???? The service ip is always active and the stand by server immediatly becomes active, but it still takes a while for the client to recover.

CAs is In-band, virtual gateway with High Availability.

Thanks and regards,

shaymaaabdelghafar Mon, 03/30/2009 - 10:30
User Badges:

very appreciate your response but i want to know if i in need for both server and manager even if i have only one server for less than 100 users.

Daniela Herrera Mon, 03/30/2009 - 10:34
User Badges:


The Manager will control the server (even if it's only one). The server is the one with the license to control 'x' number of users (100 on your case).

All the policies are configured on the manager not on the server. Therefore both are needed,

Daniel Laden Tue, 03/31/2009 - 09:59
User Badges:
  • Cisco Employee,

The NAC Server receives all its configurations from the NAC Manager (minus IP configuration and SSL certificate). You will need a NAC Manager.


This Discussion