Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Virtual IP going to subscriber

This thread has been viewed 2 times

  • 1.  ClearPass Virtual IP going to subscriber

    Posted Mar 12, 2015 10:40 AM

    We have CPPM 6.3.3.63748 and are seeing an issue where it appears that both servers in the cluster (one publisher and one subscriber) claim to own the VIP.  When connecting to the VIP it always goes to the subscriber but I'm under the assumption it should be going to the publisher?  If I click "Virtual IP Settings" under Server Configuration, each server shows itself as the owner (the green dot is next to name of the server I'm looking at it from).  From the subscriber's point of view, shouldn't it show the VIP as active on the publisher?

     

    I've also noticed that the Virtual IP service is in "Running" status on the subscriber, should this not be the case?  Should I just stop the Virtual IP service on the subscriber and will failover automatically trigger it when needed?  We did some failover testing a few weeks ago and I'm wondering if this is fallout from that.

     

     



  • 2.  RE: ClearPass Virtual IP going to subscriber
    Best Answer

    Posted Mar 12, 2015 11:12 AM

    So in reverse........ the service should be running on both nodes.

     

    Are these VM's? As I've seen 'funnies' when the port group is not confiured correctly to handle the multicast traffic.

    Typically this has occured when the ESXi host are using Distributed vSwitches rather than standard vSwitch.

     

    Can you please confirm which you are using?

     

    I've seen environements where the Distrubuted switchs port security profile limit/suppresses the multicast trafic used for functions like VRRP.

     

    Go take a close look at the security settings for the swicthes in general, even if you using standard vSwitch, look at forged-transmits, promiscous mode etc.



  • 3.  RE: ClearPass Virtual IP going to subscriber

    Posted Mar 12, 2015 08:52 PM
    Am I correct in assuming the real IPs are on the same subnet? Has this worked before?


  • 4.  RE: ClearPass Virtual IP going to subscriber

    Posted Mar 13, 2015 02:03 PM

    Yep, the appliances are VMs, and after digging through some other posts it sounds like this Forged Transmit feature being enabled may help us.  I've given our VM person a heads up on getting this done.  They are also on the same subnet and it did work as designed before but I think when we started testing failover it may have exposed this.

     

    I'll report back once we've tested with Forged Transmits enabled on the vSwitch.  Thanks for the replies so far!



  • 5.  RE: ClearPass Virtual IP going to subscriber

    Posted Mar 30, 2015 01:49 PM

    Checking in like I said I would.  We just made the changes this morning and as soon as the second VM had its forged transmits enabled there was an entry in the Event Viewer showing the subscriber releasing the VIP and all traffic has gone to the publisher since.

     

    Thanks for the help all.



  • 6.  RE: ClearPass Virtual IP going to subscriber

    Posted Mar 30, 2015 02:19 PM

    Sweet..!!!

     

    Thanks for getting back to us.

     

     



  • 7.  RE: ClearPass Virtual IP going to subscriber

    Posted Mar 08, 2016 03:03 PM

    Gawd I love Airheads! Anyways - just ran into the same thing and was clueless of what to do.. Found this post 5 minutes after deadline so unable to test, but will get the vmware guys to enable this and test asap.

    Thanks again!



  • 8.  RE: ClearPass Virtual IP going to subscriber

    Posted Mar 08, 2016 07:25 PM

    Hi John,

     

    Glad we could help you out.. :-)