08-27-2014 05:10 AM
I've got a 3 node cluster, 1 publisher and 2 subscribers. I have 1 switch and 1 PC which is doing an 802.1x service off to 1 AD server. This is all in a single room. We have a test scenario which gets into a state that is unexplainable so I'm looking for a greater understanding of how ClearPass works.
We have a Cisco switch which is configured to point to a primary subscriber and if that is unreachable, it will auto redirect requests to the secondary subscriber. All works well when we shutodwn the primary subscribers network port. All devices now authenticate against secondary subscriber.
However! When we bring the primary subscriber back online by re-enabling the port, the switch reverts to using trying the primary. All good so far! But all the authentication requests are rejected in access tracker. All have the error code 'MSCHAP: AD status:Pipe broken (0xc000014b)'.
It can be cleared by doing one or more of the following : clearing the cache on the source, shut/no shut on the device port, just waiting! However, it is never the same and feels quite random! We have a repeatable scenario to get into the broken state but the fix appears to be completely accidental! I can't explain it.
We've got a bit circular with our TAC case so that hasn't helped. We have had an AD expert review the comms on the AD end and all looks fine. Although he has thrown the observation that all comms into the AD is being seen as coming from the publisher, nothing from either of the subscribers. If there isn't a pipe between a subscriber and AD, how can it be broken?!
Any comments and observations helpful.
08-27-2014 05:47 AM
By any chance do you have a firewall between CPPM and AD ?
Have you added CPPM to the domain ?
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
03-31-2015 08:59 AM
I have run into this same issue before, pretty much the same scenario. Three node cluster, publisher and two subscribers. What fixed the issue for me was from CLI of affected node run..
# service restart all
after service restart run the following
# ad testjoin *yourdomainnamehere**
Join is OK
# ad auth -u *domainusername* -n *domainname*
INFO - NT_STATUS_OK: Success (0x0)
the restart will kill any hung processes and bring everything back to a fresh state