Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Replaced CAS in HA will not sync with CAM (NAC)

Setup:

2 x CAM in HA version 4.8.2

2 x CAS in HA version 4.8.2 Type: Out-of-Band Virtual Gateway

After replacing a faulty NAC Server which was part of a 2 server HA setup, we're not able to get the new NAC Server (CAS) to sync

with the NAC Managers (CAM).

The HA heartbeat is working and the 2 servers are in HA.

We have installed the Certificate with private key from the current running CAS and the Cert-chain.

We have modified the peer serials (mac adresses to match the new CAS.

We are getting this error in the CAM event log:

CleanAccessServer    NAC server x.x.x.198 is out-of-sync.

We are seeing this error in the cam_logs.x.x.x.x\perfigo\control\tomcat\logs:¨

2013-11-19 21:28:32.047 +0100 [DBWatchdog] TRACE com.perfigo.wlan.web.admin.DBUtilImpl              - DB Watchdog sleeping ...sleeptime=1995

2013-11-19 21:28:32.897 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.web.admin.SecureSmartPublisher    - SSP - ConnPingTask: starting ...

2013-11-19 21:28:32.897 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.web.admin.SecureSmartPublisher    - SSP - ConnPingTask: # of SecureSmartServers: 2

2013-11-19 21:28:32.898 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.web.admin.ConnectorClient         - connect : Connect to <x.x.x.198:1099>

2013-11-19 21:28:32.903 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.ssl.SSLLog                        - SSLManager: server's certificate chain verification ok ... CN=x.x.x.198, OU=xxxxxx

2013-11-19 21:28:32.905 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETS_SIZE=0

2013-11-19 21:28:32.905 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETSE=[]

2013-11-19 21:28:32.905 +0100 [CASPingTimer] ERROR com.perfigo.wlan.web.admin.ConnectorClient         - Communication Exception : Could not connect to the Clean Access Server Exception creating connection to: x.x.x.198; nested exception is:

    javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

2013-11-19 21:28:32.905 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.web.admin.SecureSmartPublisher    - SSP - ConnPingTask: Error while checking for connectivity to CAS

2013-11-19 21:28:32.908 +0100 [CASPingTimer] DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETS_SIZE=1

The certificate for the new CAS was installed with the private key, but probably when the server had incorrect time - we have checked that the new CAS has synced with NTP and the time is correct when we're getting the sync errors.

Or has the old faulty CAS to be removed from the CAM before trying to replace it with the new in CAM: CCA Servers / List Servers ?

What are we missing to get the replaced CAS in sync and online correctly ?

Everyone's tags (5)
847
Views
0
Helpful
0
Replies
CreatePlease login to create content