OnGuard Agent shows ClearPass server unreachable when the client has L3 connectivity to the server.

Aruba Employee
Aruba Employee

Problem:

Though the client has Layer 3 connectivity to ClearPass server, OnGuard agent shows ClearPass server unreachable. 



Diagnostics:

As shown in the below screenshot, we see two authentication servers 10.17.164.156 and 10.17.164.166 in the agent.conf. When 10.17.164.156 is down or unreachable (as shown with ICMP), the OnGuard agent will try the second authentication server in the list. 

Though it is reachable for the client (as shown with ICMP), OnGuard agent shows ClearPass server: None reachable. As a result health check would fail.



Solution

From the OnGuard agent logs, we would see that, when the agent is trying to connect to the ClearPass server over HTTPS, but it failed to resolve the hostname because of the blank space between first authentication server and the second one.

Logs snippet:

2017-04-09 08:31:05,449 [Th 000013b8] INFO  OnGuardPlugin.HttpAuthChannel - SetLocalAddr: 'Local Area Connection' - New local IP: 10.20.32.237

2017-04-09 08:31:05,449 [Th 000013b8] INFO  OnGuardPlugin.HttpClientWrapper - ExecuteMethod: Local IP: 10.1 Remote IP:  10.17.164.166, url: https:// 10.17.164.166/images/index.html

2017-04-09 08:31:07,701 [Th 000013b8] ERROR OnGuardPlugin.HttpClientWrapper - ExecuteMethod: Send Request failed from Local IP: 10.20.32.237 to Remote IP:  10.17.164.166. Error - 6(Couldn't resolve host name)

2017-04-09 08:31:07,701 [Th 000013b8] ERROR OnGuardPlugin.HttpClientWrapper - DoSubmit: ExecuteMethod failed for Local IP: 10.20.32.237 Remote IP:  10.17.164.166.

2017-04-09 08:31:07,701 [Th 000013b8] ERROR OnGuardPlugin.HttpAuthChannel - IsAuthServerReachable: 'Local Area Connection' - Echo to  10.17.164.166 failed from Local IP: 10.20.32.237.

2017-04-09 08:31:07,711 [Th 000013b8] INFO  OnGuardPlugin.AuthServerQuery - Execute: Reachability Status for Local Area Connection to server  10.17.164.166 – 0

In this case, removing the blank space resolved the issue. By default, there will not be any space between the authentication server IP addresses in a zone. However, care must be taken while configuring override servers in the OnGuard agent settings (Naivgation: Administration » Agents and Software Updates » OnGuard Settings » Policy Manager Zones) , so that it does not have any space.

Version history
Revision #:
3 of 3
Last update:
3 weeks ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: