Security

Reply
New Contributor
Posts: 4
Registered: ‎01-09-2015

ClearPass Virtual IP going to subscriber

[ Edited ]

We have CPPM 6.3.3.63748 and are seeing an issue where it appears that both servers in the cluster (one publisher and one subscriber) claim to own the VIP.  When connecting to the VIP it always goes to the subscriber but I'm under the assumption it should be going to the publisher?  If I click "Virtual IP Settings" under Server Configuration, each server shows itself as the owner (the green dot is next to name of the server I'm looking at it from).  From the subscriber's point of view, shouldn't it show the VIP as active on the publisher?

 

I've also noticed that the Virtual IP service is in "Running" status on the subscriber, should this not be the case?  Should I just stop the Virtual IP service on the subscriber and will failover automatically trigger it when needed?  We did some failover testing a few weeks ago and I'm wondering if this is fallout from that.

 

 

Moderator
Posts: 458
Registered: ‎11-09-2012

Re: ClearPass Virtual IP going to subscriber

So in reverse........ the service should be running on both nodes.

 

Are these VM's? As I've seen 'funnies' when the port group is not confiured correctly to handle the multicast traffic.

Typically this has occured when the ESXi host are using Distributed vSwitches rather than standard vSwitch.

 

Can you please confirm which you are using?

 

I've seen environements where the Distrubuted switchs port security profile limit/suppresses the multicast trafic used for functions like VRRP.

 

Go take a close look at the security settings for the swicthes in general, even if you using standard vSwitch, look at forged-transmits, promiscous mode etc.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I
Posts: 62
Registered: ‎05-06-2013

Re: ClearPass Virtual IP going to subscriber

Am I correct in assuming the real IPs are on the same subnet? Has this worked before?
New Contributor
Posts: 4
Registered: ‎01-09-2015

Re: ClearPass Virtual IP going to subscriber

[ Edited ]

Yep, the appliances are VMs, and after digging through some other posts it sounds like this Forged Transmit feature being enabled may help us.  I've given our VM person a heads up on getting this done.  They are also on the same subnet and it did work as designed before but I think when we started testing failover it may have exposed this.

 

I'll report back once we've tested with Forged Transmits enabled on the vSwitch.  Thanks for the replies so far!

New Contributor
Posts: 4
Registered: ‎01-09-2015

Re: ClearPass Virtual IP going to subscriber

Checking in like I said I would.  We just made the changes this morning and as soon as the second VM had its forged transmits enabled there was an entry in the Event Viewer showing the subscriber releasing the VIP and all traffic has gone to the publisher since.

 

Thanks for the help all.

Moderator
Posts: 458
Registered: ‎11-09-2012

Re: ClearPass Virtual IP going to subscriber

Sweet..!!!

 

Thanks for getting back to us.

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 470
Registered: ‎05-11-2011

Re: ClearPass Virtual IP going to subscriber

Gawd I love Airheads! Anyways - just ran into the same thing and was clueless of what to do.. Found this post 5 minutes after deadline so unable to test, but will get the vmware guys to enable this and test asap.

Thanks again!

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Moderator
Posts: 458
Registered: ‎11-09-2012

Re: ClearPass Virtual IP going to subscriber

Hi John,

 

Glad we could help you out.. :-)


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: