Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎12-08-2015

Virtual IP

Hi!

 

I´m wondering if it is possible to change clearpass VRRP-id. It seems that the default is vrrp-id 1. This causes a issue at a customer site, since they have a different product using vrrp-id 1. Nothing serious but it creates a lot of log entrys on the other product regarding auth fail (they try to speak to eachother using different password).

 

I can find nothing about changing this looking through different documentations. 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Virtual IP

ClearPass does not use VRRP. Please open a TAC case to try and isolate the problem.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Virtual IP

ClearPass does not use VRRP. Please open a TAC case to try and isolate the problem.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎12-08-2015

Re: Virtual IP

Well thats strange, everytime I turn of virtual IP the logging stops on the device. Must be something that interferes, they are on the same vlan.

 

I will check with TAC.

 

Thanks

Moderator
Posts: 492
Registered: ‎11-09-2012

Re: Virtual IP

Just to confirm, we use UCARP on CPPM for our VIP functionality.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II
Posts: 13
Registered: ‎12-08-2015

Re: Virtual IP

Thanks!

 

It seems that you shouldn´t use the same ID in CARP as VRRP if they exist on the same subnet. I would suggest adding a option to change VHID from the gui in clearpass from default to avoid issues for customers using both vrrp and CARP on the same subnet.

 

From: https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

 

Conflicting VHIDs

The VHID determines the virtual MAC address used by that CARP IP. The input validation in pfSense will not permit using conflicting VHIDs on a single pair of systems, however if there are multiple systems on the same broadcast domain running CARP, it's possible to create a conflict. VRRP also uses the same virtual MAC address scheme, so a VRRP IP using the same VRID as a CARP IP VHID will also generate the same MAC address conflict.

When using CARP on the WAN interface, this also means VRRP or CARP used by the ISP can also conflict. Be sure to use VHIDs that are not in use by the ISP on that broadcast domain.

Search Airheads
Showing results for 
Search instead for 
Did you mean: