After upgrading my 6.0.1 publisher and subscribers, the subsribers became out of sync and the issue would not resolve itself. I had to drop all subscribers then re-add them. Has anyone else had this issue?
I started by upgrading the publisher. Then I upgraded each subscriber and started to notice the sync issue. Is this the correct procedure for upgrading a cluster?
Also, the TACACS service that I setup for CPPM login stopped working after the upgrade. I can no longer login with my AD credentials; I have to use the local admin account. AD authentication is working for other services such as .1X; the issue seems to be specifically with TACACS. Access Tracker has logged the following error: Internal error in performing authentication, when trying to login with AD credentials. The logon attempt details don't even show that an authentication source is being used. I've tried creating a new TACACS service for CPPM login, but I get the same error.
Please reach Tech support. There could either be a bug, or an error in how you are upgrading...
I opened up a case in tandem with this topic. TAC has figured out that the issue is with the publisher, but the ticket has been escalated. I have a conference call with the escalation team and will report back what a solution in case it may be useful to someone in the future.
Had the same issue here getting my cluster complete. Changing the cluster password to something without special characters after the upgrade to 6.0.2 did the trick for me.
Cluster Sync Fix
Here is the reply from the engineering team:
The Root cause for cluster setup failure was some duplicate data in the publisher data post upgrade/migration. There was an enforcement policy "Guest Operator Logins" which conflicted with a policy of the same name that was introduced as default data in 6.0.2.Workaround:1) Create a new enforcement policy "AD Guest Operator Logins" with default enforcement profile "[Deny Application Access Profile]". Add the following rule to it "(Authorization:AD Servers:memberOf CONTAINS ClearPass-Admin)" and return the profile "Guest Operator - Super Administrator" to this rule.2) Edit the "ClearPass Guest Login" service and attach the enforcement policy created above. Save the service.Adding the subscriber should work after this.
TACACS is now working. The fix involved deleting an invalid certificate from the Certificate Trust List and restarting all of the CP services:
Although this fixed TACACS, our cluster is still not syncing. I will report back with the fix for that.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.