Security

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------

Do you have check, The NTP is not blocked for secondary ClearPass ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Jul 28, 2021 03:41 AM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------

Both servers are on same subnet Setup is


1 * 2930 switch
2 * Mac minis
2 * Vmware Fusion
1 cppm VM on each Mac mini
All ip addresses on same net

Why would the secondary think the master publisher is an ntp server when the config points them at there real ntp server … also on the same net

A


Original Message:
Sent: 7/28/2021 4:22:00 PM
From: alagoutte
Subject: RE: CPPM 6.10.x NTP error message

Do you have check, The NTP is not blocked for secondary ClearPass ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Jul 28, 2021 03:41 AM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------

Subscribers will use the publisher as NTP server in addition to the configured server(s), which will help to get them synced if external NTP is lost. Cluster nodes should never be out of time-sync.

And in my lab, I don't see these event errors. Did you heavily locked down the service ACLs maybe?

Or could it be that VMware fusion (or the Mac mini running it) is blocking access? Note that Fusion is not supported as Hypervisor; but it probably allows you to do a tcpdump on the host and see the ntp traffic and possibly what happens to it.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 28, 2021 05:11 PM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

Both servers are on same subnet Setup is


1 * 2930 switch
2 * Mac minis
2 * Vmware Fusion
1 cppm VM on each Mac mini
All ip addresses on same net

Why would the secondary think the master publisher is an ntp server when the config points them at there real ntp server … also on the same net

A


Original Message:
Sent: 7/28/2021 4:22:00 PM
From: alagoutte
Subject: RE: CPPM 6.10.x NTP error message

Do you have check, The NTP is not blocked for secondary ClearPass ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Jul 28, 2021 03:41 AM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------

Running 2 cppm nodes as standalone everything is just fine. As soon as I subscribe one to the other I get the error message. I’ll have a look see if there are any fusion related things. …. certainly worked ok in 6.9.6


Original Message:
Sent: 7/29/2021 10:59:00 AM
From: Herman Robers
Subject: RE: CPPM 6.10.x NTP error message

Subscribers will use the publisher as NTP server in addition to the configured server(s), which will help to get them synced if external NTP is lost. Cluster nodes should never be out of time-sync.

And in my lab, I don't see these event errors. Did you heavily locked down the service ACLs maybe?

Or could it be that VMware fusion (or the Mac mini running it) is blocking access? Note that Fusion is not supported as Hypervisor; but it probably allows you to do a tcpdump on the host and see the ntp traffic and possibly what happens to it.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 28, 2021 05:11 PM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

Both servers are on same subnet Setup is


1 * 2930 switch
2 * Mac minis
2 * Vmware Fusion
1 cppm VM on each Mac mini
All ip addresses on same net

Why would the secondary think the master publisher is an ntp server when the config points them at there real ntp server … also on the same net

A


Original Message:
Sent: 7/28/2021 4:22:00 PM
From: alagoutte
Subject: RE: CPPM 6.10.x NTP error message

Do you have check, The NTP is not blocked for secondary ClearPass ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Jul 28, 2021 03:41 AM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------

Forgot

No service related ACLs anywhere


Original Message:
Sent: 7/29/2021 10:59:00 AM
From: Herman Robers
Subject: RE: CPPM 6.10.x NTP error message

Subscribers will use the publisher as NTP server in addition to the configured server(s), which will help to get them synced if external NTP is lost. Cluster nodes should never be out of time-sync.

And in my lab, I don't see these event errors. Did you heavily locked down the service ACLs maybe?

Or could it be that VMware fusion (or the Mac mini running it) is blocking access? Note that Fusion is not supported as Hypervisor; but it probably allows you to do a tcpdump on the host and see the ntp traffic and possibly what happens to it.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 28, 2021 05:11 PM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

Both servers are on same subnet Setup is


1 * 2930 switch
2 * Mac minis
2 * Vmware Fusion
1 cppm VM on each Mac mini
All ip addresses on same net

Why would the secondary think the master publisher is an ntp server when the config points them at there real ntp server … also on the same net

A


Original Message:
Sent: 7/28/2021 4:22:00 PM
From: alagoutte
Subject: RE: CPPM 6.10.x NTP error message

Do you have check, The NTP is not blocked for secondary ClearPass ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCL: Powershell Module to use Aruba Central

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Jul 28, 2021 03:41 AM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------

We have the same warning on all of our 4 ClearPass-servers, Aruba TAC checked in the backend, and NTP is working correctly..
This error was introduced with 6.9.x i think... We are now on 6.10.1 and still have the same warning.
As long that the time on all servers in the cluster have the same time you're okey.
Original Message:
Sent: Jul 28, 2021 03:41 AM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------

Thanks for the reply. Yup I’m just ignoring it for now

Rgds
Alex


Original Message:
Sent: 8/26/2021 10:35:00 AM
From: tk-nfk
Subject: RE: CPPM 6.10.x NTP error message

We have the same warning on all of our 4 ClearPass-servers, Aruba TAC checked in the backend, and NTP is working correctly..
This error was introduced with 6.9.x i think... We are now on 6.10.1 and still have the same warning.
As long that the time on all servers in the cluster have the same time you're okey.
Original Message:
Sent: Jul 28, 2021 03:41 AM
From: Alex Sharaz
Subject: CPPM 6.10.x NTP error message

I've a cluster of 2 * 6.0.1 servers configured to use NTP .
While everything looks o.k. on the master publisher, in the event log for the secondary you get an error message for an ntp server that is the master publisher. The ntp server is another host on my network



------------------------------
Alex Sharaz
------------------------------