Security

Reply
Contributor II

CPPM cluster. Bringing subscriber back causes "AD pipe broken" errors

Hi

 

I've got a 3 node cluster, 1 publisher and 2 subscribers. I have 1 switch and 1 PC which is doing an 802.1x service off to 1 AD server. This is all in a single room. We have a test scenario which gets into a state that is unexplainable so I'm looking for a greater understanding of how ClearPass works.

 

We have a Cisco switch which is configured to point to a primary subscriber and if that is unreachable, it will auto redirect requests to the secondary subscriber. All works well when we shutodwn the primary subscribers network port. All devices now authenticate against secondary subscriber. 

 

However! When we bring the primary subscriber back online by re-enabling the port, the switch reverts to using trying the primary. All good so far! But all the authentication requests are rejected in access tracker. All have the error code 'MSCHAP: AD status:Pipe broken (0xc000014b)'.

 

It can be cleared by doing one or more of the following : clearing the cache on the source, shut/no shut on the device port, just waiting! However, it is never the same and feels quite random! We have a repeatable scenario to get into the broken state but the fix appears to be completely accidental! I can't explain it.

 

We've got a bit circular with our TAC case so that hasn't helped. We have had an AD expert review the comms on the AD end and all looks fine. Although he has thrown the observation that all comms into the AD is being seen as coming from the publisher, nothing from either of the subscribers. If there isn't a pipe between a subscriber and AD, how can it be broken?!

 

Any comments and observations helpful. 

Re: CPPM cluster. Bringing subscriber back causes "AD pipe broken" errors

By any chance do you have a firewall between CPPM and AD ?

 

Have you added CPPM to the domain ?

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: CPPM cluster. Bringing subscriber back causes "AD pipe broken" errors

Hi

No firewalls. Both subscribers work fine when up so don't think its comms.
All appliances are in the domain.

Regards


Chris Tagg
New Contributor

Re: CPPM cluster. Bringing subscriber back causes "AD pipe broken" errors

I have run into this same issue before, pretty much the same scenario. Three node cluster, publisher and two subscribers. What fixed the issue for me was from CLI of affected node run..

 

# service restart all

 

after service restart run the following

 

# ad testjoin *yourdomainnamehere**
Join is OK

 

# ad auth -u *domainusername* -n *domainname*
password: *domainpassword*
INFO -  NT_STATUS_OK: Success (0x0)

 

the restart will kill any hung processes and bring everything back to a fresh state

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: