Security

Hi<o:p></o:p>

While updating ClearPass 6.11 I have noticed a new behaviour during the installation. In previous versions all services have been running during the installation of any updates or upgrades. <o:p></o:p>

With version 6.11 several services are stopped during the installation of the updates. As far as I can see in the documentation for 6.11 this behaviour change isn't mentioned anywhere. The services remain stopped after successful installation until the server reboots. Is this a new behaviour we should expect in ClearPass 6.11 or is it an unintentional action to stop the services during update installation.<o:p></o:p>

Output from the CLI comman service status all:
Policy server [ cpass-policy-server ] is running
TACACS+ Server [ cpass-tacacs-server ] is stopped
Radius server [ cpass-radius-server ] is running
Async DB write service [ cpass-dbwrite-server ] is stopped
DB replication service [ cpass-replication ] is stopped
DB change notification server [ cpass-dbcn-server ] is stopped
System monitor service [ cpass-sysmon-server ] is stopped
System auxiliary service [ cpass-system-auxiliary-server ] is stopped
Admin server [ cpass-admin-server ] is running
Async netd service [ cpass-async-netd ] is running
Zone cache [ cpass-zone-cache-server ] is running
Stats collection service [ cpass-statsd-server ] is running
Stats aggregation service [ cpass-carbon-server ] is running
Ingress logger service [ cpass-igslogger-server ] is stopped
Ingress logrepo service [ cpass-igslogrepo-server ] is stopped
RadSec Service [ cpass-radsec ] is stopped
Grafana server [ grafana-server ] is running
AirGroup notification service [ airgroup-workqueue ] is stopped
ClearPass Guest background service [ cpg-background ] is stopped
ClearPass Guest cache [ cpg-redis-cache ] is stopped
Extensions service [ cpass-extensions ] is running
Micros Fidelio FIAS [ fias-server ] is stopped
ClearPass Virtual IP service [ cpass-vip ] is stopped
ClearPass IPsec service [ cpass-ipsec ] is stopped<o:p></o:p>

I have always informed the customers that the installation will only cause a short service disruption during the reboot of the server. Now the disruption will be prolonged as some services are stopped during the installation.<o:p></o:p>

<o:p> </o:p>

Which update did you install and on what exact version of ClearPass (like 6.11.1->6.11.2)?

Have you opened a TAC case for this? This does not sound right.

Do you have a cluster and VIPs configured? Did the VIP perform a takeover by the other node (looks like as the VIP service is stopped)?

Hi<o:p></o:p>

While updating ClearPass 6.11 I have noticed a new behaviour during the installation. In previous versions all services have been running during the installation of any updates or upgrades. <o:p></o:p>

With version 6.11 several services are stopped during the installation of the updates. As far as I can see in the documentation for 6.11 this behaviour change isn't mentioned anywhere. The services remain stopped after successful installation until the server reboots. Is this a new behaviour we should expect in ClearPass 6.11 or is it an unintentional action to stop the services during update installation.<o:p></o:p>

Output from the CLI comman service status all:
Policy server [ cpass-policy-server ] is running
TACACS+ Server [ cpass-tacacs-server ] is stopped
Radius server [ cpass-radius-server ] is running
Async DB write service [ cpass-dbwrite-server ] is stopped
DB replication service [ cpass-replication ] is stopped
DB change notification server [ cpass-dbcn-server ] is stopped
System monitor service [ cpass-sysmon-server ] is stopped
System auxiliary service [ cpass-system-auxiliary-server ] is stopped
Admin server [ cpass-admin-server ] is running
Async netd service [ cpass-async-netd ] is running
Zone cache [ cpass-zone-cache-server ] is running
Stats collection service [ cpass-statsd-server ] is running
Stats aggregation service [ cpass-carbon-server ] is running
Ingress logger service [ cpass-igslogger-server ] is stopped
Ingress logrepo service [ cpass-igslogrepo-server ] is stopped
RadSec Service [ cpass-radsec ] is stopped
Grafana server [ grafana-server ] is running
AirGroup notification service [ airgroup-workqueue ] is stopped
ClearPass Guest background service [ cpg-background ] is stopped
ClearPass Guest cache [ cpg-redis-cache ] is stopped
Extensions service [ cpass-extensions ] is running
Micros Fidelio FIAS [ fias-server ] is stopped
ClearPass Virtual IP service [ cpass-vip ] is stopped
ClearPass IPsec service [ cpass-ipsec ] is stopped<o:p></o:p>

I have always informed the customers that the installation will only cause a short service disruption during the reboot of the server. Now the disruption will be prolonged as some services are stopped during the installation.<o:p></o:p>

<o:p> </o:p>

Hi

I have so far only tested in lab servers deployed from 6.11.1 ovf image installing 6.11.2.

All the servers have been new installations, stand alone servers and no VIP configured.

One after testing manual import of the update image and not generated any token, to verify the fix for offline updates in 6.11.1.

Another after creating a token, download the image and install.

Also seen the the behavior on a machine deployed with 6.11.0 and token generated, image 6.11.2 downloaded and installed.

At the moment I don't have any more 6.11.0 servers where I can confirm this.

So far I have not opened a TAC case on this, as I found it just before I posted the question in the forum. I was just interesed to know if it was something to expect. I can open at ticket and see what answer I get.

Which update did you install and on what exact version of ClearPass (like 6.11.1->6.11.2)?

Have you opened a TAC case for this? This does not sound right.

Do you have a cluster and VIPs configured? Did the VIP perform a takeover by the other node (looks like as the VIP service is stopped)?

Hi<o:p></o:p>

While updating ClearPass 6.11 I have noticed a new behaviour during the installation. In previous versions all services have been running during the installation of any updates or upgrades. <o:p></o:p>

With version 6.11 several services are stopped during the installation of the updates. As far as I can see in the documentation for 6.11 this behaviour change isn't mentioned anywhere. The services remain stopped after successful installation until the server reboots. Is this a new behaviour we should expect in ClearPass 6.11 or is it an unintentional action to stop the services during update installation.<o:p></o:p>

Output from the CLI comman service status all:
Policy server [ cpass-policy-server ] is running
TACACS+ Server [ cpass-tacacs-server ] is stopped
Radius server [ cpass-radius-server ] is running
Async DB write service [ cpass-dbwrite-server ] is stopped
DB replication service [ cpass-replication ] is stopped
DB change notification server [ cpass-dbcn-server ] is stopped
System monitor service [ cpass-sysmon-server ] is stopped
System auxiliary service [ cpass-system-auxiliary-server ] is stopped
Admin server [ cpass-admin-server ] is running
Async netd service [ cpass-async-netd ] is running
Zone cache [ cpass-zone-cache-server ] is running
Stats collection service [ cpass-statsd-server ] is running
Stats aggregation service [ cpass-carbon-server ] is running
Ingress logger service [ cpass-igslogger-server ] is stopped
Ingress logrepo service [ cpass-igslogrepo-server ] is stopped
RadSec Service [ cpass-radsec ] is stopped
Grafana server [ grafana-server ] is running
AirGroup notification service [ airgroup-workqueue ] is stopped
ClearPass Guest background service [ cpg-background ] is stopped
ClearPass Guest cache [ cpg-redis-cache ] is stopped
Extensions service [ cpass-extensions ] is running
Micros Fidelio FIAS [ fias-server ] is stopped
ClearPass Virtual IP service [ cpass-vip ] is stopped
ClearPass IPsec service [ cpass-ipsec ] is stopped<o:p></o:p>

I have always informed the customers that the installation will only cause a short service disruption during the reboot of the server. Now the disruption will be prolonged as some services are stopped during the installation.<o:p></o:p>

<o:p> </o:p>

A short update after opening a TAC case I got this answer:

"I understand from the case description that you are facing issues with ClearPass-ClearPass 6.11 stopping services during update installation.
Upon checking, it is a normal behavior and expected one in all updates/upgrades.
The stopped services will be automatically running after reboot of the server on installation. So, it is not an issue. It's an expected behavior."

If this is correct the documentation must be updated accordingly. Awaiting feedback from TAC.

Hi

I have so far only tested in lab servers deployed from 6.11.1 ovf image installing 6.11.2.

All the servers have been new installations, stand alone servers and no VIP configured.

One after testing manual import of the update image and not generated any token, to verify the fix for offline updates in 6.11.1.

Another after creating a token, download the image and install.

Also seen the the behavior on a machine deployed with 6.11.0 and token generated, image 6.11.2 downloaded and installed.

At the moment I don't have any more 6.11.0 servers where I can confirm this.

So far I have not opened a TAC case on this, as I found it just before I posted the question in the forum. I was just interesed to know if it was something to expect. I can open at ticket and see what answer I get.

Which update did you install and on what exact version of ClearPass (like 6.11.1->6.11.2)?

Have you opened a TAC case for this? This does not sound right.

Do you have a cluster and VIPs configured? Did the VIP perform a takeover by the other node (looks like as the VIP service is stopped)?

Hi<o:p></o:p>

While updating ClearPass 6.11 I have noticed a new behaviour during the installation. In previous versions all services have been running during the installation of any updates or upgrades. <o:p></o:p>

With version 6.11 several services are stopped during the installation of the updates. As far as I can see in the documentation for 6.11 this behaviour change isn't mentioned anywhere. The services remain stopped after successful installation until the server reboots. Is this a new behaviour we should expect in ClearPass 6.11 or is it an unintentional action to stop the services during update installation.<o:p></o:p>

Output from the CLI comman service status all:
Policy server [ cpass-policy-server ] is running
TACACS+ Server [ cpass-tacacs-server ] is stopped
Radius server [ cpass-radius-server ] is running
Async DB write service [ cpass-dbwrite-server ] is stopped
DB replication service [ cpass-replication ] is stopped
DB change notification server [ cpass-dbcn-server ] is stopped
System monitor service [ cpass-sysmon-server ] is stopped
System auxiliary service [ cpass-system-auxiliary-server ] is stopped
Admin server [ cpass-admin-server ] is running
Async netd service [ cpass-async-netd ] is running
Zone cache [ cpass-zone-cache-server ] is running
Stats collection service [ cpass-statsd-server ] is running
Stats aggregation service [ cpass-carbon-server ] is running
Ingress logger service [ cpass-igslogger-server ] is stopped
Ingress logrepo service [ cpass-igslogrepo-server ] is stopped
RadSec Service [ cpass-radsec ] is stopped
Grafana server [ grafana-server ] is running
AirGroup notification service [ airgroup-workqueue ] is stopped
ClearPass Guest background service [ cpg-background ] is stopped
ClearPass Guest cache [ cpg-redis-cache ] is stopped
Extensions service [ cpass-extensions ] is running
Micros Fidelio FIAS [ fias-server ] is stopped
ClearPass Virtual IP service [ cpass-vip ] is stopped
ClearPass IPsec service [ cpass-ipsec ] is stopped<o:p></o:p>

I have always informed the customers that the installation will only cause a short service disruption during the reboot of the server. Now the disruption will be prolonged as some services are stopped during the installation.<o:p></o:p>

<o:p> </o:p>

Hi<o:p></o:p>

While updating ClearPass 6.11 I have noticed a new behaviour during the installation. In previous versions all services have been running during the installation of any updates or upgrades. <o:p></o:p>

With version 6.11 several services are stopped during the installation of the updates. As far as I can see in the documentation for 6.11 this behaviour change isn't mentioned anywhere. The services remain stopped after successful installation until the server reboots. Is this a new behaviour we should expect in ClearPass 6.11 or is it an unintentional action to stop the services during update installation.<o:p></o:p>

Output from the CLI comman service status all:
Policy server [ cpass-policy-server ] is running
TACACS+ Server [ cpass-tacacs-server ] is stopped
Radius server [ cpass-radius-server ] is running
Async DB write service [ cpass-dbwrite-server ] is stopped
DB replication service [ cpass-replication ] is stopped
DB change notification server [ cpass-dbcn-server ] is stopped
System monitor service [ cpass-sysmon-server ] is stopped
System auxiliary service [ cpass-system-auxiliary-server ] is stopped
Admin server [ cpass-admin-server ] is running
Async netd service [ cpass-async-netd ] is running
Zone cache [ cpass-zone-cache-server ] is running
Stats collection service [ cpass-statsd-server ] is running
Stats aggregation service [ cpass-carbon-server ] is running
Ingress logger service [ cpass-igslogger-server ] is stopped
Ingress logrepo service [ cpass-igslogrepo-server ] is stopped
RadSec Service [ cpass-radsec ] is stopped
Grafana server [ grafana-server ] is running
AirGroup notification service [ airgroup-workqueue ] is stopped
ClearPass Guest background service [ cpg-background ] is stopped
ClearPass Guest cache [ cpg-redis-cache ] is stopped
Extensions service [ cpass-extensions ] is running
Micros Fidelio FIAS [ fias-server ] is stopped
ClearPass Virtual IP service [ cpass-vip ] is stopped
ClearPass IPsec service [ cpass-ipsec ] is stopped<o:p></o:p>

I have always informed the customers that the installation will only cause a short service disruption during the reboot of the server. Now the disruption will be prolonged as some services are stopped during the installation.<o:p></o:p>

<o:p> </o:p>

That zone cache service is that a new name for multi-master cache ?

I have done multiple upgrade from 6.5 - 6.6 and so on until 6.9 to 6.10 in the past, and even small patches update triggers services stop prior to reboot.

Hi<o:p></o:p>

While updating ClearPass 6.11 I have noticed a new behaviour during the installation. In previous versions all services have been running during the installation of any updates or upgrades. <o:p></o:p>

With version 6.11 several services are stopped during the installation of the updates. As far as I can see in the documentation for 6.11 this behaviour change isn't mentioned anywhere. The services remain stopped after successful installation until the server reboots. Is this a new behaviour we should expect in ClearPass 6.11 or is it an unintentional action to stop the services during update installation.<o:p></o:p>

Output from the CLI comman service status all:
Policy server [ cpass-policy-server ] is running
TACACS+ Server [ cpass-tacacs-server ] is stopped
Radius server [ cpass-radius-server ] is running
Async DB write service [ cpass-dbwrite-server ] is stopped
DB replication service [ cpass-replication ] is stopped
DB change notification server [ cpass-dbcn-server ] is stopped
System monitor service [ cpass-sysmon-server ] is stopped
System auxiliary service [ cpass-system-auxiliary-server ] is stopped
Admin server [ cpass-admin-server ] is running
Async netd service [ cpass-async-netd ] is running
Zone cache [ cpass-zone-cache-server ] is running
Stats collection service [ cpass-statsd-server ] is running
Stats aggregation service [ cpass-carbon-server ] is running
Ingress logger service [ cpass-igslogger-server ] is stopped
Ingress logrepo service [ cpass-igslogrepo-server ] is stopped
RadSec Service [ cpass-radsec ] is stopped
Grafana server [ grafana-server ] is running
AirGroup notification service [ airgroup-workqueue ] is stopped
ClearPass Guest background service [ cpg-background ] is stopped
ClearPass Guest cache [ cpg-redis-cache ] is stopped
Extensions service [ cpass-extensions ] is running
Micros Fidelio FIAS [ fias-server ] is stopped
ClearPass Virtual IP service [ cpass-vip ] is stopped
ClearPass IPsec service [ cpass-ipsec ] is stopped<o:p></o:p>

I have always informed the customers that the installation will only cause a short service disruption during the reboot of the server. Now the disruption will be prolonged as some services are stopped during the installation.<o:p></o:p>

<o:p> </o:p>