07-22-2015 08:52 AM - edited 07-22-2015 05:56 PM
Testing clearpass guest on a pair of CP-VA-5K running version 188.8.131.52162. Noticed that some operators are having trouble login into the guest manager application. They complain that they noticed the browser hangs after they submitted their AD credentials... They restart their browser or try a different browser and they issue persists for a few seconds. Then it just starts to work.
This is the common error in access tracker for all of these users:
Error Code: 102
Failed to perform policy evaluation
Alerts for this Request
WebAuthService Failed to contact policy server for access policy evaluation
Has anyone else seen this issue before? Is there a fix? Or is this a bug or maybe a bad LDAP configuration?
07-22-2015 04:41 PM
If you haven't please open a TAC case. It could be any combination of issues.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
07-22-2015 07:00 PM
I actually opened a TAC case before posting it here. I wanted to see if anyone else had run into this specifc error. If so, I would be interested to know what was the issue/resolution in their case? I understand this could be caused by any sort of issues. I am just trying to understand if this is due to a common misconfiguraiton or if we are running into some sort of bug.
Likewise if I can find a resolution working with TAC I'll post it here.
08-07-2015 11:55 AM
Update - issue is still happening at random times. Working with TAC....
But in the mean time I have managed to narrow the issue down by looking at debug logs from CPPM, logs form LDAP, and packet capture from CPPM server. There are a couple of things that stand out but I am not too familiar with all of the concepts... Just throwing it out here to see if this rings any bells for anyone.
1- First of all, my LDAP engineer confirmed that he is getting the LDAP query from clear pass for the failed request. He also sees the LDAP server respond with the query results immediately and with out errors. But clear pass still failed after a 10 minute delay.
2- Secondly, at the exact same time of that clear pass sends the failed request message to access tracker... The packet capture also shows a TCP reset initiated by clear pass at the same time that the LDAP query is sent out by CPPM.
My LDAP engineer mentioned that in the past he has seen a similar issue with servers that use "Java based pools". Does this ring a bell to anyone? I don't remember reading about this in the CPPM user guides but that sounds like an internal thing.
09-14-2015 12:39 PM
hey boneyard - almost there ;) The issue appears to be related to a tcp session timeout some where along the path between cppm and ldap. Working with Aruba support staff (SE, TAC, etc) and our F5 guys we have isolated the issue to a possible configuration issue on the load balancer. But we are still testing some things to rule out some assumptions.