Did you get anywhere with this? I try to avoid using the data interface whenever possible, but think that if traffic destined for a virtual IP on the management port is returned to the data port, that would be considered a bug. Did you open a support case for this?
As nobody responded yet, and you mention that it's production and you can't take risks of outages, it may be wise to build/test this in lab before deploying in production. That may be something that your Aruba partner or Aruba support can assist with.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Feb 01, 2024 09:44 PM
From: russell.stewart@melbourne.vic.gov.au
Subject: ClearPass cluster VIP and routing rules
Good Afternoon,
We have a cluster of two clearpass servers set up with a VIP using the management interface. We also have our VPN gateways on the same VLAN or /24 network.
We have a problem when VPN users try to authenticate a Guest access request. The clearpass servers have a default route defined which is our core router. The problem is when a VPN user tries to access a CP server the return traffic is sent to the router, not the VPN gateway device.
We partially solved this by adding network rules to each node such as
network ip add mgmt -i 500 -d 10.255.0.0/21 -g 192.168.1.55
This work when the VPN user is connecting to the IP address of the cluster member, not the VIP, if the VIP is used the traffic goes to the router and is lost.
Is there any way of applying the routing rules to the VIP
Can anyone tell me if adding a rule
network ip add mgmt -i 502 -s 192.168.1.50 -d 10.255.0.0/21 -g 192.168.1.55
is likely to work or will it break the cluster or will the command just fail, I am have trouble getting an outage window to test
192.168.1.1 - Core Router
192.168.1.50 - Cluster VIP
192.168.1.51 - Cluster Publisher
192.168.1.52 - Cluster Subscriber
Network Commands
Arubanetworks | remove preview |
| Network Commands | The ClearPass Policy Manager command line interface includes the following commands: network ip6 network ping6 network reset network traceroute6 network traceroute Use the command to add, delete, or list custom routes to the data or management interface routing table in IPv6 networks. | View this on Arubanetworks > |
|
|