Security

 View Only
last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

This thread has been viewed 42 times
  • 1.  OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    Posted Sep 05, 2022 11:36 PM
      |   view attached
    Hi All,

    Have been experiencing this issue from way long ago, and TAC always points to endpoint problem.

    My end-user more or less has been the same for the past 3-4 years, and they are wondering about this repeating issue.

    To solve this issue, we sometimes have to format the whole Windows, whilst relaunching the OnGuard agent and rebooting the computer may also work, but with random successful ratio.

    Is there some new approach to this posturing agent, maybe compared to what Cisco's one, because seem their agent is more stable and can run properly everytime.

    Please refer to the attachment. Please see the first line at 14:52:33. This is a lucky scenario where the agent will start running after some time, other bad luck ones showing the same failure over and over again without any ending.


  • 2.  RE: OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    EMPLOYEE
    Posted Sep 06, 2022 03:07 AM
    looks like it is fixed in 6.10.6, but i suggest upgrading to the latest maintenance release 6.10.7

    https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.10.x/Default.htm#ReleaseNotes/Resolved/Resolved-6.10.6.htm


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    Posted Sep 06, 2022 04:20 AM
    Could it be that you have a firewall/user-role/ACLs that are blocking the connection to CPPM? Most specific tcp port 6658 that is used for the agent to communicate to ClearPass?

    If you have such a situation where you see error-after-error, run a Wireshark to collect a network capture and see what the client is attempting to connect to and if/what response you see. I suspect that the communication does not reach the ClearPass server.

    The mentioned fix seems specifically related to MacOS, and your screenshot looks more like Windows. Upgrading won't hurt either and other issues may be solved. What version do you have on the ClearPass server? And have you installed the same OnGuard agent version on your clients?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    Posted Sep 13, 2022 01:18 AM
    Hi Herman,

    Thanks for the reply, OnGuard version and ClearPass server are the same 6.10.5
    Will upgrade to 6.10.7 once customer HQ approved the version.

    For communication to ClearPass, firewall are opened, the agent is working sometimes. The other times it is showing Failed to Connect to Agent Controller Service like that. Never tried Wireshark-ing to capture local adapter, but this issue is more like a service dependencies issue in Windows.
    If you see the Agent Controller Service at Windows "services.msc", it has more than one services dependencies, probably that's why it is more difficult to solve in Windows.


  • 5.  RE: OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    Posted Sep 13, 2022 05:10 AM
    Maybe it helps to get 6.10.7 approved if HQ knows that there are reported security vulnerabilities in the version they are now running?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    Posted 14 days ago

    Hi Herman, 
    I'm operating NAC version 6.12.1 and have this trouble on few PC too. Could you guide me on how to check if ClearPass OnGuard is conflicting with any application or Firewall...etc.... on the PC, leading to a failure to connect to the Controller Service?




  • 7.  RE: OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    Posted 14 days ago

    Is the client connected to the network?

    Can it (DNS) resolve the FQDN for your ClearPass server (in the zone)? Can it connect to the ClearPass server on port 6658?

    Especially when you isolate/quarantine clients, make sure they can connect to ClearPass (both DNS and IP connectivity working).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: OnGuard Persistent "Failed to Connect to ClearPass Agent Controller Service"

    Posted 7 days ago

    yes, when client false, i check ping and telnet to server's port 6658 OK. The error occurs consistently when we suspend the PC and leave it overnight, after reboot PC at morning, ClearPass working normal.