Security

 View Only
Expand all | Collapse all

Access Tracker filter search timeouts

This thread has been viewed 3 times
  • 1.  Access Tracker filter search timeouts

    Posted Dec 04, 2024 10:19 AM

    Hello,

    We have 6 ClearPass boxes running 6.12.3. Two are dedicated Publisher/Standby, and the other 4 actually process requests.

    I am trying to do a search which uses the Aruba RADIUS attribute for AP group, and also filtering on Service name. We have a lot of entries in Access Tracker so I appreciate that this is a big search.

    The time period I am trying to do this for is 1 week. This worked if I restricted the search to be just one of our ClearPass subscribers (it took a long time) but now when I try to repeat that for one of our other subscribers it just times out. Now when I go back to Access Tracker it is always trying to complete the previous search, even when it says it is 'cancelling statement due to timeout' it just sits with the spinning wheel and I am unable to do anything. Reloading the page or using a different browser doesn't help so I assume this is all server side. What happens to broken searches like this? Should I worry that these failed searches are still clogging things up in the background? I assume something should be telling Postgres to cancel the previous search but I'm not confident this is actually happening, Is there a job that clears these up? When can I expect to be able to search in Access Tracker again?

    Guy



  • 2.  RE: Access Tracker filter search timeouts

    Posted Dec 04, 2024 10:51 AM

    Just after I wrote the above it managed to complete the search, despite saying that it was cancelling it! But it is a long, painful process. I guess there is a lot of db churn going on and if the box is busy then the search can take a long time (or seemingly fail). I'll try again when things are quieter and hopefully this will give it more of a chance. It is still annoying that you end up in a situation where it keeps attempting the same search ('waiting to complete current operation') even when you are trying to set up a new search. 

    We will look at the possibility of sending accounting data to not just ClearPass (we have to send it to ClearPass because we have a FW integration that relies on it) but another server where we can access the data more easily. Though this does raise the question of whether using the 'Multiple server accounting' setting in AOS AAA profile is likely to cause too much load/traffic as I believe it will then send to all servers in the group. It would be nicer to be able to specify more than one server group and for accounting to be sent to one of the servers in each group rather than all. If anyone has any comments/suggestions they would be appreciated!

    Guy