Security

Reply
Contributor II

ClearPass issue on Microsoft Hyper-V

Hey all, I ran into an interesting issue with deploying a ClearPass VA-5k on Hyper-V.  The Hyper-V version is 2012 R2, and the VA was deployed using the latest template downloaded from Aruba.

The issue was that the VM would run for a few hours and then suddenly lose all network connectivity.  A reboot would restore it, again for about 5-6 hours, then it would disappear again.

The Hyper-V administrator noticed a few things:  

- the template is built using a very old Hyper-V version (2008 I believe).

- the NICs are set to be "legacy" NICs

- the driver for the Legacy NICs is very out-of-date

Hyper-V Event Viewer gave us this warning:

"Networking driver in CLEARPASS loaded but has a different version from the server. Server version 5.0  Client version 3.2 (Virtual machine ID 81A9D98D-595A-4295-9160-EA0E4C18DD95). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu."

 

So, since there's no way to access the root shell in ClearPass, I won't be able to update the drivers.  

What I did instead was remove the Legacy NICs, and replace them with the standard "Synthetic NIC".  ClearPass had no problem recognizing the new NICs and network connectivity was restored. 

At this point I'll continute monitoring the appliances to see if this is a permanent fix, but thought I would put this out there for anyone else running ClearPass on Hyper-V.  Maybe Aruba / HPE should consider updating the template and drivers in their VA?

Re: ClearPass issue on Microsoft Hyper-V

Please open a case with Aruba TAC to troubleshoot. Network interfaces, especially in default configuration should not go down.

 

Did you check the VM install Tech Note that is on the support website with the product download which has some hints as well on Hyper-V configuation?

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: ClearPass issue on Microsoft Hyper-V

How did you change de NIC's? In Clearpas or Hyper-V?

I have the same issue.

Re: ClearPass issue on Microsoft Hyper-V

You cannot change it in ClearPass, so it must be HyperV. But please open a TAC case if you experience this kind of stability issues with Aruba products. That will allow the problem to be fixed, and prevent others running into the same issues.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor II

Re: ClearPass issue on Microsoft Hyper-V

TAC was baffled by this.  I doubt that anyone in TAC has much experience with Hyper-V.  I know it's not very common in my install base.

We installed it from the template downloaded from the Aruba site.  The Hyper-V admin noticed that the template was built on Hyper-V 2008.  The notes don't mention anything else regarding specific builds on Hyper-V except the system requirements (disk, CPU, RAM, etc.).

Contributor II

Re: ClearPass issue on Microsoft Hyper-V

I removed the legacy NICs and added the new ones in Hyper-V (shut down the VM and edit the settings).  It's been stable for a week now.

Re: ClearPass issue on Microsoft Hyper-V

The Installing or Upgrading ClearPass 6.6 on a Virtual Machine Technote, that is available here, does mention the supported Hyper-V versions as:

- Microsoft Hyper-V Server 2012 R2
- Microsoft Hyper-V Server 2016
- Windows Server 2012 R2 with Hyper-V
- Windows Server 2016 with Hyper-V

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Contributor I

Re: ClearPass issue on Microsoft Hyper-V

I have a problem with hyper v nics going down. I couldn't get legacy ones to work at all and the nics that were set up in the hyper v installation didn't work.

 

So I added another nic and it worked for about two weeks and then it failed.

 

I turned off dynamically assigned mac address for the nic and put the original one back in as static and it has been online ever since. It appears the Hyper V changed the mac address of the nic - I assume clearpass wouldn't appeciate that?

 

My experience seems to indicate that legacy is bad and that you should use a static mac address on the virtual nic when setting it up

Contributor I

Re: ClearPass issue on Microsoft Hyper-V

on a final note, the second node of the cluster went down after a reboot.

 

Same thing, the nic wouldn't work after a reboot of the hyper V server.

 

I updated the broadcom drivers (not good) and removed VMQ from the nic and hyper v (not necessary on a 1 gig nic anyway).

 

Changing the clearpass nic with a static and not a dynamic mac address seemed to be main issue.

 

But this was more complicated, as the clearpass server was set to boot automatically and the hyper V management tool would lock up, causing an inability to shut down the clearpass server and access the settings.

 

in short.  Remove VMQ, don't use broadcom nics and set a static mac address in Hyper V instead of the default dynamic mac.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: