NAC Manager

Unanswered Question
May 4th, 2009
User Badges:

Hi,


Just wondering if anyone has can help...I can ping my to NAC Managers but cannot HTTPS into them. I get the "The page cannot be displayed message in IE." I used to be able to HTTPS into them but not anymore. I cannot think of anything that has changed in the network that would cause this. Also rebooting the NAC Managers did not solve this issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 05/04/2009 - 07:42
User Badges:
  • Blue, 1500 points or more

can you ssh/console into the mgr and check the status of the perfigo services?


nomair_83 Tue, 05/05/2009 - 02:40
User Badges:
  • Bronze, 100 points or more

Yup sometime it happens, so you can go to cli and initialize the CAM again by "service perfigo config" (you only need to press enter as you dont need to change the configs) and restart the perfigo services...


"service perfigo restart"

yuchenglai Tue, 05/05/2009 - 05:41
User Badges:

I have a pair NAC Managers running in High Availability mode.


Below is the resulting output after entering service perfigo stop and service perfigo start


Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686


NACCAM2 login: ****

Password:

Last login: Mon May 4 14:56:37 on ttyS0

[[email protected] ~]# service perfigo restart

Error: Please use 'service perfigo stop' and then 'service perfigo start' on HA enabled systems!

[[email protected] ~]# service perfigo stop

[[email protected] ~]#

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686


NACCAM1 login: ****

Password:

Last login: Mon May 4 14:55:15 on ttyS0

[[email protected] ~]# service perfigo stop

[[email protected] ~]# service perfigo start

Starting High-Availability services:

[ OK ]

Please wait while bringing up service IP.

Heartbeat service is running.

Service IP [*.*.*.*] is not on peer or the Heartbeat link is broken.

Stopping High-Availability services:

[ OK ]

Please check IP configuration and Heartbeat link.

Starting manager in administrative mode.

[[email protected] ~]#

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686


NACCAM2 login: root

Password:

Last login: Tue May 5 08:25:20 on ttyS0

[[email protected] ~]# service perfigo start

Starting High-Availability services:

[ OK ]

Please wait while bringing up service IP.

Heartbeat service is running.

Service IP [*.*.*.*] is not on peer or the Heartbeat link is broken.

Stopping High-Availability services:

[ OK ]

Please check IP configuration and Heartbeat link.

Starting manager in administrative mode.

[[email protected] ~]#

yuchenglai Tue, 05/05/2009 - 08:04
User Badges:

I stop and started perfigo services for both CAMs in the failover pair, but am still not able to web into the CAM's Service IP address.


I used to be able to web into the CAM's service IP address, and the original configuration is still in both CAMs.


Thinking that this could be a certificate issue, I exported the HA-Primary CAM's certificate w/ the HA Pair's service IP to the HA-Secondary CAM. I then rebooted both CAMs and still cannot web into the CAM's service IP address.


I also notice that both CAM's Current Local Status show up as "DEAD" , and the Current Peer CAM status show up as "UNKNOWN"


Can someone please help?

nomair_83 Tue, 05/05/2009 - 23:43
User Badges:
  • Bronze, 100 points or more

You have to regenerate the certificates with service IP address on both CAM.(one by one).

HTH


srue Wed, 05/06/2009 - 04:49
User Badges:
  • Blue, 1500 points or more

regenerating certs will break any communication with the CASes I believe so you might run into some issues there. Look in the documentation guides to avoid any problems like this.

yuchenglai Wed, 05/06/2009 - 05:00
User Badges:

With issues inherent in regenerating the certs, I re-exported the certs from the Primary CAM and re-imported the certs into the secondary CAM, but this did not fix the problem. What could have happened to the original certs that once allowed me to web into the CAM pair's service IP?

nomair_83 Wed, 05/06/2009 - 05:05
User Badges:
  • Bronze, 100 points or more

Could be your failover issue because FO is also down.

And problem is both peers failover is not behaving normal.



yuchenglai Wed, 05/06/2009 - 05:17
User Badges:

Here is the strange thing. I can web and ssh into the CAM's individual eth0 IP address. However, the local status of each CAM is dead.


[[email protected] bin]# ./fostate.sh

My node is dead, peer node is unknown


[[email protected] bin]# ./fostate.sh

My node is dead, peer node is unknown


Looking at this, it makes sense I would not be able to web into the Service IP of the CAM pair, but what would cause the local status of each CAM be dead?

stephen.smithers Thu, 05/07/2009 - 06:29
User Badges:

you are right as both of the devices are dead from a failover point of view, neither of them are responding to the service IP address.


Please check the failover configuration and ensure you have a failover interface configured, and that the interface is up on both devices.


The standard automatic configuration uses eth1 on the CAM for failover communication and a default network of 192.168.0.252 with the .254 address on the primary and the .253 on the secondary. Is this how you have configured the failover.


Please confirm the failover configuration on the two CAMs.

yuchenglai Mon, 05/11/2009 - 06:34
User Badges:

I've talked to a 3rd party integrator about this and have been told that I will need to contact Cisco TAC to first get the local nodes up. Once the nodes are up then we can move on to getting failover to work.


[[email protected] bin]# ./fostate.sh

My node is dead, peer node is unknown


[[email protected] bin]# ./fostate.sh

My node is dead, peer node is unknown



stephen.smithers Mon, 05/11/2009 - 08:37
User Badges:

Firstly can you confirm that you have the correct licensing installed.


If the licensing is installed then how is the failover configured. If you used the automatic configuration of the failover interface then it should work, if you changed the IP addressing or changed the interface used for failover then I suspect that there may be an ip addressing issue unless you configured the network-scripts.


Please confirm the failover configuration and we can then troubleshoot this further.


Daniela Herrera Mon, 05/11/2009 - 09:22
User Badges:

I would shutdown one of the CAMs and try to access the other one either by the service ip or it's physical address. Once you've verified the config there, review the config on the other CAM.

Once you've verified both, try the failover settings again.



naitsirhc81 Fri, 05/08/2009 - 16:58
User Badges:

Try going to Internet Options, Content, "Clear SSL State". Then restart IE and try again.

mdubec Fri, 01/21/2011 - 04:53
User Badges:

Hi David,


Have you resolved you problem in this case? Because I have same problem.


Thank you


Regards


Michal

jonmarso_07 Wed, 09/28/2011 - 09:11
User Badges:
Hello David can tell us you've solved your problem?
And he has done.


Well I have this same problem and I'm going to redo the settings, I first set up the NTP,then I'll redo it and give temporary certificates then reconfigure failover.






jonmarso_07 Wed, 09/28/2011 - 11:24
User Badges:

Connect the Clean Access Manager Machines

There are two types of connections between HA-CAM peers: one to exchange runtime data that relates to the Clean Access Manager activities and one for the heartbeat signal. In High Availability, the Clean Access Manager always uses the eth1 interface for both data exchange and heartbeat UDP exchange. When the UDP heartbeat signal fails to be transmitted and received within a certain time period, the standby system takes over. In order to provide an extra measure of security, it is highly recommended to add a serial heartbeat connection between the Clean Access Manager peers. The serial connection provides an additional dedicated heartbeat exchange method that must fail before the standby system can take over. Note that the eth1 connection between the CAM peers is mandatory.

Physically connect the peer Clean Access Managers as shown:

  • Use crossover cable to connect the eth1 Ethernet ports of the Clean Access Manager machines. This connection is used for the heartbeat UDP interface and data exchange (database mirroring) between the failover peers.
  • Use null modem serial cable to connect the serial ports (highly recommended). This connection is used as an additional heartbeat serial exchange (keep-alive) between the failover peers.

Note: For serial cable connection for HA (either HA-CAM or HA-CAS), the serial cable must be a “null modem” cable.

Actions

This Discussion