Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC Manager

Hi,

Just wondering if anyone has can help...I can ping my to NAC Managers but cannot HTTPS into them. I get the "The page cannot be displayed message in IE." I used to be able to HTTPS into them but not anymore. I cannot think of anything that has changed in the network that would cause this. Also rebooting the NAC Managers did not solve this issue.

18 REPLIES
Gold

Re: NAC Manager

can you ssh/console into the mgr and check the status of the perfigo services?

New Member

Re: NAC Manager

How do you check the status of perfigo services?

New Member

Re: NAC Manager

Yup sometime it happens, so you can go to cli and initialize the CAM again by "service perfigo config" (you only need to press enter as you dont need to change the configs) and restart the perfigo services...

"service perfigo restart"

New Member

Re: NAC Manager

I have a pair NAC Managers running in High Availability mode.

Below is the resulting output after entering service perfigo stop and service perfigo start

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686

NACCAM2 login: ****

Password:

Last login: Mon May 4 14:56:37 on ttyS0

[root@NACCAM2 ~]# service perfigo restart

Error: Please use 'service perfigo stop' and then 'service perfigo start' on HA enabled systems!

[root@NACCAM2 ~]# service perfigo stop

[root@NACCAM2 ~]#

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686

NACCAM1 login: ****

Password:

Last login: Mon May 4 14:55:15 on ttyS0

[root@NACCAM1 ~]# service perfigo stop

[root@NACCAM1 ~]# service perfigo start

Starting High-Availability services:

[ OK ]

Please wait while bringing up service IP.

Heartbeat service is running.

Service IP [*.*.*.*] is not on peer or the Heartbeat link is broken.

Stopping High-Availability services:

[ OK ]

Please check IP configuration and Heartbeat link.

Starting manager in administrative mode.

[root@NACCAM1 ~]#

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686

NACCAM2 login: root

Password:

Last login: Tue May 5 08:25:20 on ttyS0

[root@NACCAM2 ~]# service perfigo start

Starting High-Availability services:

[ OK ]

Please wait while bringing up service IP.

Heartbeat service is running.

Service IP [*.*.*.*] is not on peer or the Heartbeat link is broken.

Stopping High-Availability services:

[ OK ]

Please check IP configuration and Heartbeat link.

Starting manager in administrative mode.

[root@NACCAM2 ~]#

New Member

Re: NAC Manager

I stop and started perfigo services for both CAMs in the failover pair, but am still not able to web into the CAM's Service IP address.

I used to be able to web into the CAM's service IP address, and the original configuration is still in both CAMs.

Thinking that this could be a certificate issue, I exported the HA-Primary CAM's certificate w/ the HA Pair's service IP to the HA-Secondary CAM. I then rebooted both CAMs and still cannot web into the CAM's service IP address.

I also notice that both CAM's Current Local Status show up as "DEAD" , and the Current Peer CAM status show up as "UNKNOWN"

Can someone please help?

New Member

Re: NAC Manager

You have to regenerate the certificates with service IP address on both CAM.(one by one).

HTH

Gold

Re: NAC Manager

regenerating certs will break any communication with the CASes I believe so you might run into some issues there. Look in the documentation guides to avoid any problems like this.

New Member

Re: NAC Manager

With issues inherent in regenerating the certs, I re-exported the certs from the Primary CAM and re-imported the certs into the secondary CAM, but this did not fix the problem. What could have happened to the original certs that once allowed me to web into the CAM pair's service IP?

New Member

Re: NAC Manager

Could be your failover issue because FO is also down.

And problem is both peers failover is not behaving normal.

New Member

Re: NAC Manager

Here is the strange thing. I can web and ssh into the CAM's individual eth0 IP address. However, the local status of each CAM is dead.

[root@naccam1 bin]# ./fostate.sh

My node is dead, peer node is unknown

[root@naccam2 bin]# ./fostate.sh

My node is dead, peer node is unknown

Looking at this, it makes sense I would not be able to web into the Service IP of the CAM pair, but what would cause the local status of each CAM be dead?

New Member

Re: NAC Manager

you are right as both of the devices are dead from a failover point of view, neither of them are responding to the service IP address.

Please check the failover configuration and ensure you have a failover interface configured, and that the interface is up on both devices.

The standard automatic configuration uses eth1 on the CAM for failover communication and a default network of 192.168.0.252 with the .254 address on the primary and the .253 on the secondary. Is this how you have configured the failover.

Please confirm the failover configuration on the two CAMs.

New Member

Re: NAC Manager

I've talked to a 3rd party integrator about this and have been told that I will need to contact Cisco TAC to first get the local nodes up. Once the nodes are up then we can move on to getting failover to work.

[root@naccam1 bin]# ./fostate.sh

My node is dead, peer node is unknown

[root@naccam2 bin]# ./fostate.sh

My node is dead, peer node is unknown

New Member

Re: NAC Manager

Firstly can you confirm that you have the correct licensing installed.

If the licensing is installed then how is the failover configured. If you used the automatic configuration of the failover interface then it should work, if you changed the IP addressing or changed the interface used for failover then I suspect that there may be an ip addressing issue unless you configured the network-scripts.

Please confirm the failover configuration and we can then troubleshoot this further.

New Member

Re: NAC Manager

I would shutdown one of the CAMs and try to access the other one either by the service ip or it's physical address. Once you've verified the config there, review the config on the other CAM.

Once you've verified both, try the failover settings again.

New Member

Re: NAC Manager

Try going to Internet Options, Content, "Clear SSL State". Then restart IE and try again.

New Member

Re: NAC Manager

Hi David,

Have you resolved you problem in this case? Because I have same problem.

Thank you

Regards

Michal

New Member

Re: NAC Manager

Hello David can tell us you've solved your problem?
And he has done.

Well I have this same problem and I'm going to redo the settings, I first set up the NTP,then I'll redo it and give temporary certificates then reconfigure failover.

New Member

Re: NAC Manager

Connect the Clean Access Manager Machines

There are two types of connections between HA-CAM peers: one to exchange runtime data that relates to the Clean Access Manager activities and one for the heartbeat signal. In High Availability, the Clean Access Manager always uses the eth1 interface for both data exchange and heartbeat UDP exchange. When the UDP heartbeat signal fails to be transmitted and received within a certain time period, the standby system takes over. In order to provide an extra measure of security, it is highly recommended to add a serial heartbeat connection between the Clean Access Manager peers. The serial connection provides an additional dedicated heartbeat exchange method that must fail before the standby system can take over. Note that the eth1 connection between the CAM peers is mandatory.

Physically connect the peer Clean Access Managers as shown:

  • Use crossover cable to connect the eth1 Ethernet ports of the Clean Access Manager machines. This connection is used for the heartbeat UDP interface and data exchange (database mirroring) between the failover peers.
  • Use null modem serial cable to connect the serial ports (highly recommended). This connection is used as an additional heartbeat serial exchange (keep-alive) between the failover peers.

Note: For serial cable connection for HA (either HA-CAM or HA-CAS), the serial cable must be a “null modem” cable.

1408
Views
0
Helpful
18
Replies