@brettbrown wrote:
Cluster pool is definitely set and looks to be allocating an IP by the looks of it. I cant seem to find the rap pool command in the config making its way from the MM to the MC's (maybe by design???).
With cluster RAP, the pool itself does not get pushed to MDs, as opposed to the way things work when not using cluster with RAPs. The pool is used (by the MM) to assign an IP (from the pool) to the RAP when it's put into the whitelist database; which essentially becomes a static IP. That IP is then consistent across the MDs within the cluster that it terminates in (indeed across all clusters of the MM).
When the RAP arrives in the MD, it will use the auth-server "internal" to try to authenticate, in a cluster this should be pointing to the MM virtual IP, please confirm it using "show aaa authentication-server internal", it should show the IP of the MM VIP (or MM primary if you don't have a backup MM).
If someone has previously set the MD internal auth server to "use-local-switch" then this could easily cause the problem you're seeing.
Here is how the security debug should look (warning: don't run log level debugging security in a live RAP network for any extended amount of time). In the below debug, a RAP (9c:8c:d8:09:05:0c) connects to MD (192.168.1.144) from NAT source IP 172.35.0.10, via a RAP cluster public IP (does not appear in debug).
The RAP whitelist entry is not found on the MD so the MD will query the MM VIP (192.168.1.142) and finds a result which has internal IP
168430082 (0xa0a0a02 == 10.10.10.2).
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| RX (sock) message of type 66, len 1028
Apr 5 15:40:30 :124454: <3368> <DBUG> |authmgr| auth_user_query_raw: recvd request user:9c:8c:d8:09:50:0c ip:172.35.0.10 cookie:-2145524411
Apr 5 15:40:30 :124098: <3368> <DBUG> |authmgr| Setting authstate 'started' for user 172.35.0.10, client VPN.
Apr 5 15:40:30 :124099: <3368> <DBUG> |authmgr| Setting auth type 'VPN' for user 172.35.0.10, client VPN.
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| ncfg_auth_server_group_authtype ip=172.35.0.10, method=VPN vpnflags:2
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| ncfg_auth_server_group_authtype vpnflags:2 vpn-profile:default-rap
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| ip=172.35.0.10, sg=default
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| aal_authenticate aal 0x2b9cc94 username 9c:8c:d8:09:05:0c
Apr 5 15:40:30 :124547: <3368> <DBUG> |authmgr| aal_authenticate server_group:default.
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| Select server for method=VPN, user=9c:8c:d8:09:05:0c, essid=<>, server-group=default, last_srv <>
Apr 5 15:40:30 :124038: <3368> <INFO> |authmgr| Reused server Internal for method=VPN; user=9c:8c:d8:09:05:0c, essid=<>, domain=<>, server-group=default
Apr 5 15:40:30 :133028: <3426> <DBUG> |localdb| executeUSERDBMethod(127.0.0.1:8214 ==> 127.0.0.1:8344 PktType:0x402 SeqNum:37117 MsgCode:62): Received udb_msg with msgtype:62 id:178 reqtype:6 dbtype:13
Apr 5 15:40:30 :133108: <3426> <DBUG> |localdb| executeUSERDBMethod: Query for mac:9c:8c:d8:09:05:0c not successful locally with msgtype:62 id:178 reqtype:6 dbtype:13
Apr 5 15:40:30 :133032: <3426> <DBUG> |localdb| localdb_send_db_fetch_req: Sending Fetch-Req on WL-entry for mac 9c:8c:d8:09:05:0c to 192.168.1.142:8344 with msgtype:62 id:178 reqtype:9 dbtype:13
Apr 5 15:40:30 :133028: <3426> <DBUG> |localdb| executeUSERDBMethod(192.168.1.142:8344 ==> 192.168.1.144:8344 PktType:0x2002 SeqNum:8267 MsgCode:62): Received udb_msg with msgtype:79 id:178 reqtype:10 dbtype:13
Apr 5 15:40:30 :133108: <3426> <DBUG> |localdb| executeUSERDBMethod: Received FETCH-RSP for mac:9c:8c:d8:09:05:0c with msgtype:79 id:178 reqtype:10 dbtype:13
Apr 5 15:40:30 :133005: <3426> <INFO> |localdb| User 9c:8c:d8:09:05:0c Successfully Authenticated
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| udb_gen_whitelist_avpairs: Added avpair name Remote-IP value 0
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| udb_gen_whitelist_avpairs: Added avpair name Remote-IPv6 value ::
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| udb_gen_whitelist_avpairs: Added avpair name Inner-IP value 168430082 (0xa0a0a02 == 10.10.10.2)
Apr 5 15:40:30 :124004: <3368> <DBUG> |authmgr| udb_gen_whitelist_avpairs: Added avpair name Cert_type value 1
Apr 5 15:40:30 :124003: <3368> <INFO> |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=9c:8c:d8:09:05:0c