NAC High Availability: Users getting disconnected during failover

Unanswered Question
Mar 30th, 2009

Hi,


We have a pair of CAS in in-band virtual-gateway mode in high availability mode.

We are still running some tests but we have noticed that the clients are losing connectivity during the failover.

* The service ip is always active (never stops responding pings).

* The stand-by CAS becomes active immediatly after we shut down the primary, we see it on the CAM.

* The client however looses connectivity with the internal network for almost two minutes.


I'm guessing this isn't normal, but would like to know what is the expected behaviour on this.


Thanks and regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniela Herrera Tue, 03/31/2009 - 20:10

Any ideas??


We noticed this only happens when failing over from the CAS configured as secondary to the primary CAS. The client still appears as certified but has no longer access to the network for around 2 minutes.

When we failover from the primary to the secondary CAS the client stays connected without losing connectivity.


Is this an expected behaviour???


Regards,

srue Wed, 04/01/2009 - 09:21

could be a spanning tree issue perhaps. is portfast enabled where the CAS's connect?

Daniela Herrera Wed, 04/01/2009 - 10:39

Thanks!

It's not enabled since our ports are in mode trunk. What's the recommendation to have it enabled or disabled?


Thanks!

Daniela Herrera Thu, 04/02/2009 - 10:27

We configured another pair today and we are noticing the same behaviour, however it seems random... sometimes the user barely looses connection, other times it will take from 2-5 minutes for it to come back.

We are only using eth2 for the failover link since we only have one serial port.


When we test we make sure both servers are up and then we reboot the primary. The secondary becomes active immediately. When both are up again we repeat the process.


any other ideas? something we should check?


Thanks!

Daniela Herrera Mon, 04/06/2009 - 06:37

Hi!

any other ideas on this will be greatly appreciated.

It seems a problem only with the communication between the user and the CAS, since the failover is detected immediatly by the CAM and the CAS service (virtual) ip address is always reachable.


thanks!

Actions

This Discussion