Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass subscriber out of sync

This thread has been viewed 148 times

  • 1.  ClearPass subscriber out of sync

    Posted Mar 08, 2014 01:43 PM

    I had a subscriber offline for a day, which was long enough to cause issues with the cluster syncing.  Besides dropping the subscriber from the cluster, is there any other way of resolving an out of sync issue?



  • 2.  RE: ClearPass subscriber out of sync
    Best Answer

    EMPLOYEE
    Posted Mar 08, 2014 01:44 PM

    I’ve never found a better way. Dropping is the safest/cleanest. I usually stop TACACS and RADIUS services on the subscriber before I drop it so the NADs put the server out of service.



  • 3.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Mar 09, 2014 01:12 AM

    As of today that is your only option.



  • 4.  RE: ClearPass subscriber out of sync

    Posted Nov 06, 2020 03:06 AM
    I know this is an old post but it is still the top hit on Google.

    We had the same issue yesterday and I thought it was a bit excessive to drop the subscriber as a first step to get the sync back so I tried restarting the sync service on the subscriber that was out of sync and it solved the issue.

    service restart cpass-async-netd



    Original Message


  • 5.  RE: ClearPass subscriber out of sync

    Posted Mar 09, 2014 05:14 PM
    Thanks for confirming.


  • 6.  RE: ClearPass subscriber out of sync

    Posted Mar 27, 2014 05:30 PM

    Worked great for me. One of my nodes was out-of-syn because of asymetric routing. We also use wan acceleration so in order to prevent any problem I've added rules on these devices to bypass traffic among all cluster nodes

     



  • 7.  RE: ClearPass subscriber out of sync

    Posted Jun 04, 2014 08:30 AM

    Looks like I have a similar problem.

    Our Subscriber today is reporting that it is out of sync.

    I believe it is due to an extended downtime of the Subscriber server.

     

    I didn't form the initial cluster so I am a little shaky on the steps.

     

    Would I take the following steps?

     

    1. Log into the Subscriber and stop TACACS and RADIUS services (as suggested by @cappalli)
    2. Log into the Publisher and go to Administrator > Server Manager > Server Configuration
    3. Select the Subscriber and select 'Drop Subscriber'
    4. From the Subscriber select the option 'Make Subscriber' - Select the option 'Do not backup the existing databases...'
    5. From the Subscriber start the TACACS and RADIUS services

    Thank you,

     

    Cheers



  • 8.  RE: ClearPass subscriber out of sync

    Posted Jun 04, 2014 08:49 AM
    Yep, that's right. I've never stopped the TACACS service when removing or
    joining a subscriber and haven't run into problems. It certainly wouldn't
    hurt though.


  • 9.  RE: ClearPass subscriber out of sync

    Posted Jun 04, 2014 09:04 AM

    Thank you very much for confirming the steps!

     

    Good to know about the services. I will keep that in mind when I am ready to repair the cluster.

     

    Cheers



  • 10.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Jun 04, 2014 09:09 AM

    The only reason I recommend manually stopping the TACACS and RADIUS services is that it gives the controllers/switches more time to age out the auth server.



  • 11.  RE: ClearPass subscriber out of sync

    Posted Jun 04, 2014 09:33 AM

    Thanks for the explanation @cappalli!

     

    Sorry for my ignorance but I was just wondering about the age out time. Would this be beneficial if on your controllers/switches you had a secondary auth server configured? Or does this help with preventing the controllers/switches needlessly sending requests?



  • 12.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Jun 04, 2014 10:26 AM
    It all depends on how you have things setup.

    My previous environment did not use a VIP on ClearPass so each server was setup individually as an authentication server in the controllers and switches. We did use RADIUS load-balacing in AOS 6.4 so by stopping the services, it would put that authentication server out-of-service.


  • 13.  RE: ClearPass subscriber out of sync

    Posted Mar 20, 2017 07:18 AM

    Hi geeks,

     

    I had a situation, one of my subscribr went out of sync for more than 24 hours, and publisher has declared it out of sync. therefore, I dropped the subscriber from the cluster via the subscriber node.

     

    After I rejoin the cluster, all its authenticated machine cache has been erased. therefore it was not accpeting any user auth due to absence of machine auth. then i need to reboot the machines to get the machine auth done.

     

    Is that I did something wrong in rejoining the cluster?? Is this an expected behaviour or there is better way to do things?



  • 14.  RE: ClearPass subscriber out of sync

    Posted Mar 20, 2017 08:06 AM

    I can't speak to whether or not the machine cache being cleared is normal or not.

     

    You can avoid this issue though by writing an attribute into the endpoint database when a machine successfully authenticates. Then use a role mapping to give the machine a role based on that attribute.

     

    This is especially helpful with laptops that disappear on a business trip and then the user comes back, but has put their laptop to sleep and not signed out.



  • 15.  RE: ClearPass subscriber out of sync

    Posted Jul 28, 2017 05:31 AM

    Hi,

     

    as of today, is it still the only solution to drop a subscriber if its out of sync?

    That would mean if you're using VIPs on that node, you need to delete them and setup everything again after readding the node??

    That would cause downtime in my case...

     

    Many thanks in advance.



  • 16.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Jul 28, 2017 06:43 AM

    Hi,

     

    It is not neccesary always to drop the subscirber and rejoin the cluster if it is out of sync. Need to check logs why it went out of sync.

     

    We could try restart db replication service and check the status.

     

    Regards,

    Pavan



  • 17.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Jul 28, 2017 08:07 AM
    You can remove a node from the virtual IP without deleting it.


  • 18.  RE: ClearPass subscriber out of sync

    Posted Jun 04, 2014 10:18 AM
    Very good point, Tim.


  • 19.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Jun 04, 2014 09:27 AM
    Those are the steps I've always followed.


  • 20.  RE: ClearPass subscriber out of sync

    Posted Dec 03, 2021 08:14 AM
    Hi th_son and community members, 

    I have got the same issue that subsriber says out of sync..

    I tried to follow these steps but it didn't allow me to drop; says it cannot be dropped since it is a part of virtual IP address...

    Any idea in this case, please kindly advise.

    Binod

    ------------------------------
    Binod Ranabhat
    ------------------------------

    Original Message


  • 21.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Dec 03, 2021 12:02 PM
    You responded to a very old discussion. It's hard to guess what is wrong in your situation, so please open a TAC case.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 22.  RE: ClearPass subscriber out of sync

    Posted Dec 04, 2021 04:30 AM
    Thank you so much for your suggestion, yes opened the TAC  to Aruba and solved the issue:
    -Decommissioned Virtual IP to Subscriber from server config 
    -Dropped the subscriber, it became the standalone publisher
    -Logged in to Previous Subscriber (separately) and made it subscriber, it needed the appadmin creds
    -Then it joined to the cluster again

    Basically, all the steps above and bit of work on Virtual lP Settings worked for me.


    ------------------------------
    Binod Ranabhat
    ------------------------------

    Original Message


  • 23.  RE: ClearPass subscriber out of sync

    Posted Jan 04, 2024 10:09 AM

    Appadmin creds what?


    Original Message


  • 24.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Jan 04, 2024 10:11 AM

    You responded to a very old discussion. It's hard to guess what is wrong in your situation, so please open a TAC case.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 25.  RE: ClearPass subscriber out of sync

    Posted Jan 04, 2024 10:09 AM

    After Drob the subscriber , im not able to login to subscriber .


    Original Message


  • 26.  RE: ClearPass subscriber out of sync

    EMPLOYEE
    Posted Jan 04, 2024 10:11 AM

    You responded to a very old discussion. It's hard to guess what is wrong in your situation, so please open a TAC case.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message