NAC Agent Problems Logging In

chabutna1 · ‎10-05-2010

My school uses NAC agent to secure their network. I have to log in every time I restart the computer or wake the computer from sleeping if I want to access the network. I've never had a problem before, but all of the sudden it is giving me trouble.

During the past couple of days, I have been having problems logging into the network via cisco NAC agent. When my computer boots, the log in window pops up and I type in my user name and password. NAC agent says "authenticating user" for several seconds, and then it says "Clean access server is not available on the network. Please contact your administrator if the problem persists." I'll try it several more times, and it still doesn't work.

Here's the strange part: if I put the computer to sleep for awhile after experiencing the above problems, I can login upon wakeup with no problems at all. So it just seems like NAC Agent is having problems when the computer boots, not when it wakes up from sleeping.

I haven't made any changes to the wireless adapter or the network settings on my computer. I tried contacting my school about it, and they don't know what is causing the problem (they are a bunch of idiots though.) I've also tried uninstalling the program and installing it again with no success.

I'm running version 4.8.0.32 (compliance module version 3.4.13.1) with Windows 7 Home Premium (64-bit.) The problem started a few days ago.

Faisal Sehbai · ‎10-05-2010

Neil,

My sympathies. Unfortunately any/all troubleshooting we can do would need the involvement of the admins of these systems. Generally the message you're getting is indicative of some sort of network problem existing between your agent (computer) and CAS (which is the point of enforcement for CCA)

If you'd like, please post a copy of the agent logs and I can take a look at them to see if there's anything else can help you make the case to the admins that something needs to be fixed on their ends. You can collect the agent logs by going to Start -> Programs -> Cisco and there should be a log packager icon in the program group.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

chabutna1 · ‎10-05-2010

I've gone ahead and attached the log files from the support report. Let me know if it needs to be in another format or something like that. Thanks for your help.

Faisal Sehbai · ‎10-05-2010

Neil,

As suspected, there's some sort of network problem between your computer and the CAS:

67: NEIL-LAPTOP: Oct 5 2010 13:44:07.784 UTC: %NACAGENT-3-HTTP_ERROR: %[sev=error][func=HTTPConnection::MakeRequest]: HttpSendRequestA returns error (12029): The attempt to connect to the server failed

...

133: NEIL-LAPTOP: Oct 5 2010 13:44:49.415 UTC: %NACAGENT-3-HTTP_ERROR: %[sev=error][func=HTTPConnection::MakeRequest]: HttpSendRequestA returns error (12029): The attempt to connect to the server failed
134: NEIL-LAPTOP: Oct 5 2010 13:44:49.415 UTC: %NACAGENT-4-HTTP_WARNING: %[sev=warning][func=HTTPConnection::RetrySendRequest]: First HttpSendRequestA returns error (12029): The attempt to connect to the server failed

If this issue is reproducible, best recourse would be for you to take this Agent log report to your Support Center and ask them to open a TAC case so TAC can work with your college folks to figure out what's going on with the network.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

colmfahy · ‎11-10-2010

Faisal

I see your response below, which would I presume be based upon information extracted from the NacAgentCurrentLog.log file uploaded by the OP?

I am trying to troubleshoot connectivity between the NAC agent and the CAS (in another scenario) but I am unsure as to whether it should be possible to read this log file or whether I must create a TAC case and submit them the file in order to access the log contents?

If there is any way in which I can access/intrepret this information I wouild appreciate a pointer in the right direction.

Kind regards

colm

Lauren Sullivan · ‎11-10-2010

Hey Colm,

Yeah, the NAC agent logs are currently encrypted (as it contains the actual rule logic), so they can only be read by Cisco people. It's to prevent end users from figuring out what checks they're failing and just modifying the files themselves instead of actual remediation. Best bet is to open a TAC case or post it here for someone to check out.

Lauren

colmfahy · ‎12-17-2010

For the info of anyone coming across this post trying to troubleshoot the issue of the NAC agent 'never logging in' I have found if I adjust the MTU on the client PC downwards then the agent logs-in successfully.

In the case I am troubleshooting we are using pretty much the cisco reference config found at http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a3a8a7.shtml including the GRE tunnels.

GRE tunnels impose an overhead which means that the effective MTU between the agent PC and the CAS is reduced by 24 bytes.

Editing the client PC registry to reduce the PC MTU to 1476 from the default of 1500 resolves the issue.

I am not sure WHY this is the case as I have verified that PMTU is properly configured and that the router is returning ICMP messages to the client which are being properly received. Pretty-much all other communications between clients on the remote network and network systems on the trusted side of the CAS work perfectly. Clients adjust the effective MTU appropriately for many othe locations on the network based upon ICMP fragmentation required messages received.

(I presume everyone knows how to manually check effective MTU across a link - but just in case - "ping -l (size) -f (target IP)" will work on most Windows OS'es and will give you a good place to start.)

I am still investigating ways to resolve the issue which do NOT require a manual registry modification to every client - but in the interim this is a very useful datapoint for others with the same problem.

Kind rgds

Colm