Security

last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM 6.9.5 make subscriber failed

Jump to Best Answer
This thread has been viewed 21 times
  • 1.  CPPM 6.9.5 make subscriber failed

    Posted Oct 06, 2021 06:59 PM

    Trying to rebuild our VMs that are running out of space and originally built with 500gb disks.  So dropped one of the subscribers and created the new vm but now can't make it a subscriber.  Wish there was a way to just add a second 500gb disk and have the OS resize the partitions.

    New VM was built with recommended settings with 6.9 ovf and then updated to 6.9.5 which is what currently is on the publisher.

    I had exported all certs from the old VM (https are signed by commercial CA) and imported them.  Also imported the root and intermediate certs to the Trust List and make sure they are marked as "Others" and enabled as suggested by the field notice for 6.8. Publisher and subscriber are on the same vlan and new VM using same IP address as old one.

    However, make subscriber fails via GUI.  Have not tried via console with -V   Any ideas? Am I missing something?





    ------------------------------
    ---
    °(((=((===°°°(((=================================
    ------------------------------


  • 2.  RE: CPPM 6.9.5 make subscriber failed

    Posted Oct 07, 2021 11:32 AM
    This kind of issues can best be fixed by contact Aruba TAC support so they can take a look into the underlay linux and databases.

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 3.  RE: CPPM 6.9.5 make subscriber failed

    Posted Oct 07, 2021 01:09 PM

    Thanks - I have a call in - it's just that this year in particular they don't have enough engineers available and attempt to resolve things via email.  Was hoping this would be something quick and easy I was missing.  Obviously not, and I will have to do this 3 more times for the other two VMs.

    Would have been much easier if they would have had options for us to expand existing disks or to add a new one instead of forcing us to rebuild from scratch.






  • 4.  RE: CPPM 6.9.5 make subscriber failed

    Posted Oct 07, 2021 01:26 PM
    Hi su_A_ve,

    Disk expanding is not possible because the disks are encrypted for security. Thats one of the reasons why 1TB is required in the deploying guide.
    For disk expansion you can simple spine-off the .ova template and add a new VM to the cluster.

    Did you drop the subscriber from the publisher first, before turn it off and deploy the new server?

    Note: After re-install a new server and add the licenses you also need TAC support for re-activation the PAK licence.

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 5.  RE: CPPM 6.9.5 make subscriber failed

    Posted Oct 07, 2021 03:02 PM

    Well, interesting that when you install the OVA it gives you an option to encrypt the disk or not. So is it required? How do I know if the existing ones were encrypted? Wonder if I chose not to when I installed it?

    This is what I did which was vetted by our Aruba SE:

    * Drop subscriber from publisher
    * Set up new vm with correct specs with version 6.9.0
    * Add platform license from dropped subscriber and activate it (had to get it converted but worked)
    * Upgraded to 6.9.5 since that's what's on publisher
    * Imported root and intermediate CAs that signed publisher's certs (based on 6.8 technote)
    * Attempted to make subscriber with or without backing up or restoring config options - all failed.

    All reattempts I had to drop the 'in progress' subscriber from the publisher. I have not tried to do it via the command line ignoring the certs but obviously something else going on.

    Goal is then make this new updated subscriber the publisher. Then drop the original one and the other one (we have three total) and add them back to the new publisher. And finally switch back so publisher is the one named "1"

    Ricardo.

    --
    °(((=((===°°°(((================================================





  • 6.  RE: CPPM 6.9.5 make subscriber failed

    Posted Oct 07, 2021 04:58 PM
    Hi Ricardo,

    Understood, your workflow looks fine to me, but sad you still run into this issues what happens some times. Try from the CLI maybe it give another message with some clue. Maybe someting like:
    • did you turn off VRRP on your cluster
    • did you tunf off Failover Cluster
    • Is the same NTP server used and time/timezone in sync
    • Issue with https,root or intermediate certificate

    Maybe @cjoseph have a good suggestion.

    In early version it wasn't possible to choose ​for encrypted disks. The option to disabled is not recommended in a production environments and is meant only for LAB environments for optimize performance where often are less resources available.

    My recommendation is still to work with TAC support  on this. Pickup the phone and explain them it's urgent (Phone is faster;)). Iám pretty sure they have a engineer available within 24h during this busy time, if not escalate the case if it's urgent.​​​​​​

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 7.  RE: CPPM 6.9.5 make subscriber failed
    Best Answer

    Posted Oct 07, 2021 11:03 PM

    Tried all of that but still failed.  In the end late in the day I was finally able to get in touch with TAC.

    The problem was with some Root CAs that existed in the new image which had a different expiration date than what the publisher was sending. This is a bug fixed in 6.9.6. Once those were deleted (UserTRUST, Comodo, AAA and AddTrust) it joined the cluster without issues.

    --
    °(((=((===°°°(((================================================