Wireless Access

Reply
Contributor II
Posts: 52
Registered: ‎12-11-2012

VRRP Mac Address Spaming Clearpass server with Authentication

Setup: 

 

Controller: Two 7210 Controller (Master/Standby) running Aruba OS: 6.3.1.12

CPPM: ver 6.4.2.68288

Campus AP225

IAP225 (remote site) - Manual GRE Tunnel Guest Vlan and BYOD Vland back to Controller.

 

Issue: We are seeing that Standby Controller seeing a ton of authenication (1Million authenication request) to the Clearpass server within a 24 hrs time frame. All of the request are being rejected. Within Asset Tracker, we are seeing one Mac Address and that Mac address belong to the Standby 7210 Controller. 

 

When reboot the Secondary 7210 controller, the cause CPPM to spit out an error ("Database query error, please try again". See attachment. 

 

Have been on the casse with TAC for two days now and we are getting nowwhere near a resolution.

 

 

Thnx.

C Khen

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: VRRP Mac Address Spaming Clearpass server with Authentication

Can you please share the access tracker reject request / input tab ?

Have made any new changes recently ?

What do you mean by the VRRP MAC address ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 52
Registered: ‎12-11-2012

Re: VRRP Mac Address Spaming Clearpass server with Authentication Request

OK...after 7 long day of troubleshooting with Global Escalation TAC, we found the issue.

 

The millions of authenication request hitting CPPM was due to a spanning-tree loop from 2 IAP clusters at the same remote sites. The issue we were experience is related to this article.

 

http://community.arubanetworks.com/t5/Controller-less-WLANs/IAP-L3-mobility-causes-loops/ta-p/185890

 

 

We had 2 IAP clusters and passing (trunking) the same vlan back to the controller (Vlan-110 Guest) and (Vlan-111 BYOD). The loop was trigger by having the same user VLANs (110, and 111) are added into the IAP uplink trunk ports in each cluster.

 

To resolved the issue, i eliminate the second cluster at the site and join it to the 1st cluster.

 

 

 

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: VRRP Mac Address Spaming Clearpass server with Authentication Request

Good to know , glad you guys were able to fix the issue
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: