Clean Access Server could not establish a secure connection with CAM

Unanswered Question
Jul 13th, 2009

Hi to all,

I had my NAC solution working fine but suddenly some users were getting this message when they were trying to log on:

Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.

This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.

Please report this to your network administrator.

I tried generating the ssl certificates again but it didn't work, The certificates were still valid, the time settings are the same in the CAM and CAS, i can managed the CAS from the CAM interface so is not a "not reach" problem.

I also found this on the Config Guide from both the CAM and CAS: If you check nslookup and date from the CAS, and both the DNS and TIME settings on the CAS are correct, this can indicate that the caCerts file on the CAS is corrupted. In this case, Cisco recommends backing up the existing caCerts file from /usr/java/j2sdk1.4/lib/security/caCerts, overriding it with the file from /perfigo/common/conf/caCerts, then performing “service perfigo restart” on the CAS.

I did it but the problem remains, do you know what else can I try???

Thanks in advance for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pszczola1 Tue, 07/14/2009 - 17:06

Are you able to ping CAS from CAM and vice versa. Please try to ping with IP and DNS name.

If ping with the name doesn't work the work around is to modify the hosts file, to add info about CAS to CAM's hosts file and vice versa.

alfonso.cornejo Wed, 07/15/2009 - 07:09

Hi,

Yes i'm able to ping from CAM and vice versa using the IP and the name.

Actually i can manage the CAS from the CAM interface.

alfonso.cornejo Wed, 07/22/2009 - 07:36

Hi guys,

Just updating this case, i have another CAS configured and i'm having the same problem, i mean the users can not authenticate and are getting the same message: "Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.

This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached. Please report this to your network administrator."

Any ideas of what can be causing this??

A bug or a corruption on the systems??

Thanks in advance for your help.

srue Wed, 07/22/2009 - 07:50

have you verified the certificates are all valid and NTP is working on all devices - including PC's.

alfonso.cornejo Wed, 07/22/2009 - 07:54

Hi,

Yes i have, the certificates appear as valids on both devices (CAM and CAS) and the time is sincronized in all the network, including PC's.

That's why i think maybe this is an operative system issue, something corrupt, etc.

Any more ideas?

I appreciate your help.

george.murage Fri, 07/24/2009 - 02:11

Hi

we were experiencing the same issue described here. after many hours of troubleshooting this we got it to work by making adding the FQDN of the NAS to the host file of the NAM and vice-versa. since our environment was using NAM and NAS HA we has to put both the primary and secondary NAS FQDN in the host file of each of the NAM servers using the service IP and vice-versa (i.e put the primary and secondary NAM FQDN in each of the NAS servers using the service IP).

The same can be achieved using a DNS server to register the FQDN of all the NAS and NAM servers in the NAC deployment.

The NAM and NAS should be able to ping each other using the FQDN and the hostname.

HTH

George

alfonso.cornejo Fri, 07/24/2009 - 09:35

Hi George,

Thanks alot for the post, do you have the steps about how to change the host file in the CAM and in the CAS??

Best regards,

george.murage Mon, 07/27/2009 - 06:03

hi Alfonso,

Editing the hosts file is easy. just need to use the CAS/CAM CLI and the vi test editor. You can google for instructions on how to use Vi.

To start assume we have a CAM and CAS with the hostname cam1 and cas1 respectively. the domain is mycompany.com and the ip addresses for the CAM and CAS is 192.168.10.1 and 192.168.15.2 respectively.

start with the CAM and view the hosts table

cat /etc/hosts

To check what domain u used to setup the CAM

cat /etc/resolver.conf

edit the hosts file so appears like so

192.168.10.1 cam1.mycompany.com cam1

192.168.15.2 cas1.mycompany.com cas1

Verify with 'cat /etc/hosts'

Make sure you can ping 'cas1' and 'cas1.mycompany.com' from cam1

Next edit the hosts file for cas1 so that it appears like so

192.168.15.2 cas1.mycompany.com cas1

192.168.10.1 cam1.mycompany.com cam1

Make sure you can ping 'cam1' and 'cam1.mycompany.com' from cas1

HTH

George

alfonso.cornejo Mon, 07/27/2009 - 06:53

Thanks alot for the information George!

I'm gonna perform these steps on my CAM and CAS.

Best regards,

jmanzur1683 Mon, 10/11/2010 - 13:24

Hi, this is my question.

I have this problem:

Network Error:
Clean Access Server could not establish a secure connection to Clean Access Manager at XXXXXXXX.
This could be due to one or more of the following reasons: 1) Clean  Access Manager certificate has expired 2) Clean Access Manager  certificate cannot be trusted or 3) Clean Access Manager cannot be  reached.
Please report this to your network administrator.

-The cam and cas are synchronized with the time

-There is comunication betwen cam and cas by ssh

-I can Control the cas by the cam

The problem is when the user try to connecto to the network.

PD: I did all the steps that Alfonso did.

Please, i need some help.

Regards.

Actions

This Discussion