cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2426
Views
0
Helpful
18
Replies

NAC Manager

yuchenglai
Level 1
Level 1

Hi,

Just wondering if anyone has can help...I can ping my to NAC Managers but cannot HTTPS into them. I get the "The page cannot be displayed message in IE." I used to be able to HTTPS into them but not anymore. I cannot think of anything that has changed in the network that would cause this. Also rebooting the NAC Managers did not solve this issue.

18 Replies 18

srue
Level 7
Level 7

can you ssh/console into the mgr and check the status of the perfigo services?

How do you check the status of perfigo services?

Yup sometime it happens, so you can go to cli and initialize the CAM again by "service perfigo config" (you only need to press enter as you dont need to change the configs) and restart the perfigo services...

"service perfigo restart"

I have a pair NAC Managers running in High Availability mode.

Below is the resulting output after entering service perfigo stop and service perfigo start

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686

NACCAM2 login: ****

Password:

Last login: Mon May 4 14:56:37 on ttyS0

[root@NACCAM2 ~]# service perfigo restart

Error: Please use 'service perfigo stop' and then 'service perfigo start' on HA enabled systems!

[root@NACCAM2 ~]# service perfigo stop

[root@NACCAM2 ~]#

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686

NACCAM1 login: ****

Password:

Last login: Mon May 4 14:55:15 on ttyS0

[root@NACCAM1 ~]# service perfigo stop

[root@NACCAM1 ~]# service perfigo start

Starting High-Availability services:

[ OK ]

Please wait while bringing up service IP.

Heartbeat service is running.

Service IP [*.*.*.*] is not on peer or the Heartbeat link is broken.

Stopping High-Availability services:

[ OK ]

Please check IP configuration and Heartbeat link.

Starting manager in administrative mode.

[root@NACCAM1 ~]#

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686

NACCAM2 login: root

Password:

Last login: Tue May 5 08:25:20 on ttyS0

[root@NACCAM2 ~]# service perfigo start

Starting High-Availability services:

[ OK ]

Please wait while bringing up service IP.

Heartbeat service is running.

Service IP [*.*.*.*] is not on peer or the Heartbeat link is broken.

Stopping High-Availability services:

[ OK ]

Please check IP configuration and Heartbeat link.

Starting manager in administrative mode.

[root@NACCAM2 ~]#

I stop and started perfigo services for both CAMs in the failover pair, but am still not able to web into the CAM's Service IP address.

I used to be able to web into the CAM's service IP address, and the original configuration is still in both CAMs.

Thinking that this could be a certificate issue, I exported the HA-Primary CAM's certificate w/ the HA Pair's service IP to the HA-Secondary CAM. I then rebooted both CAMs and still cannot web into the CAM's service IP address.

I also notice that both CAM's Current Local Status show up as "DEAD" , and the Current Peer CAM status show up as "UNKNOWN"

Can someone please help?

You have to regenerate the certificates with service IP address on both CAM.(one by one).

HTH

regenerating certs will break any communication with the CASes I believe so you might run into some issues there. Look in the documentation guides to avoid any problems like this.

With issues inherent in regenerating the certs, I re-exported the certs from the Primary CAM and re-imported the certs into the secondary CAM, but this did not fix the problem. What could have happened to the original certs that once allowed me to web into the CAM pair's service IP?

Could be your failover issue because FO is also down.

And problem is both peers failover is not behaving normal.

Here is the strange thing. I can web and ssh into the CAM's individual eth0 IP address. However, the local status of each CAM is dead.

[root@naccam1 bin]# ./fostate.sh

My node is dead, peer node is unknown

[root@naccam2 bin]# ./fostate.sh

My node is dead, peer node is unknown

Looking at this, it makes sense I would not be able to web into the Service IP of the CAM pair, but what would cause the local status of each CAM be dead?

you are right as both of the devices are dead from a failover point of view, neither of them are responding to the service IP address.

Please check the failover configuration and ensure you have a failover interface configured, and that the interface is up on both devices.

The standard automatic configuration uses eth1 on the CAM for failover communication and a default network of 192.168.0.252 with the .254 address on the primary and the .253 on the secondary. Is this how you have configured the failover.

Please confirm the failover configuration on the two CAMs.

I've talked to a 3rd party integrator about this and have been told that I will need to contact Cisco TAC to first get the local nodes up. Once the nodes are up then we can move on to getting failover to work.

[root@naccam1 bin]# ./fostate.sh

My node is dead, peer node is unknown

[root@naccam2 bin]# ./fostate.sh

My node is dead, peer node is unknown

Firstly can you confirm that you have the correct licensing installed.

If the licensing is installed then how is the failover configured. If you used the automatic configuration of the failover interface then it should work, if you changed the IP addressing or changed the interface used for failover then I suspect that there may be an ip addressing issue unless you configured the network-scripts.

Please confirm the failover configuration and we can then troubleshoot this further.

I would shutdown one of the CAMs and try to access the other one either by the service ip or it's physical address. Once you've verified the config there, review the config on the other CAM.

Once you've verified both, try the failover settings again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: