01-11-2017 11:52 PM
I´m wondering if it is possible to change clearpass VRRP-id. It seems that the default is vrrp-id 1. This causes a issue at a customer site, since they have a different product using vrrp-id 1. Nothing serious but it creates a lot of log entrys on the other product regarding auth fail (they try to speak to eachother using different password).
I can find nothing about changing this looking through different documentations.
Solved! Go to Solution.
01-15-2017 11:14 AM
Just to confirm, we use UCARP on CPPM for our VIP functionality.
Snr Tech Marketing Engineer - ClearPass
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
01-17-2017 01:05 AM
It seems that you shouldn´t use the same ID in CARP as VRRP if they exist on the same subnet. I would suggest adding a option to change VHID from the gui in clearpass from default to avoid issues for customers using both vrrp and CARP on the same subnet.
The VHID determines the virtual MAC address used by that CARP IP. The input validation in pfSense will not permit using conflicting VHIDs on a single pair of systems, however if there are multiple systems on the same broadcast domain running CARP, it's possible to create a conflict. VRRP also uses the same virtual MAC address scheme, so a VRRP IP using the same VRID as a CARP IP VHID will also generate the same MAC address conflict.
When using CARP on the WAN interface, this also means VRRP or CARP used by the ISP can also conflict. Be sure to use VHIDs that are not in use by the ISP on that broadcast domain.