OnGuard Agent shows ClearPass server unreachable when the client has L3 connectivity to the server.
Though the client has Layer 3 connectivity to ClearPass server, OnGuard agent shows ClearPass server unreachable.
As shown in the below screenshot, we see two authentication servers 10.17.164.156 and 10.17.164.166 in the agent.conf. When 10.17.164.156 is down or unreachable (as shown with ICMP), the OnGuard agent will try the second authentication server in the list.
Though it is reachable for the client (as shown with ICMP), OnGuard agent shows ClearPass server: None reachable. As a result health check would fail.
From the OnGuard agent logs, we would see that, when the agent is trying to connect to the ClearPass server over HTTPS, but it failed to resolve the hostname because of the blank space between first authentication server and the second one.
2017-04-09 08:31:05,449 [Th 000013b8] INFO OnGuardPlugin.HttpAuthChannel - SetLocalAddr: 'Local Area Connection' - New local IP: 10.20.32.237
2017-04-09 08:31:05,449 [Th 000013b8] INFO OnGuardPlugin.HttpClientWrapper - ExecuteMethod: Local IP: 10.1 Remote IP: 10.17.164.166, url: https:// 10.17.164.166/images/index.html
2017-04-09 08:31:07,701 [Th 000013b8] ERROR OnGuardPlugin.HttpClientWrapper - ExecuteMethod: Send Request failed from Local IP: 10.20.32.237 to Remote IP: 10.17.164.166. Error - 6(Couldn't resolve host name)
2017-04-09 08:31:07,701 [Th 000013b8] ERROR OnGuardPlugin.HttpClientWrapper - DoSubmit: ExecuteMethod failed for Local IP: 10.20.32.237 Remote IP: 10.17.164.166.
2017-04-09 08:31:07,701 [Th 000013b8] ERROR OnGuardPlugin.HttpAuthChannel - IsAuthServerReachable: 'Local Area Connection' - Echo to 10.17.164.166 failed from Local IP: 10.20.32.237.
2017-04-09 08:31:07,711 [Th 000013b8] INFO OnGuardPlugin.AuthServerQuery - Execute: Reachability Status for Local Area Connection to server 10.17.164.166 – 0
In this case, removing the blank space resolved the issue. By default, there will not be any space between the authentication server IP addresses in a zone. However, care must be taken while configuring override servers in the OnGuard agent settings (Naivgation: Administration » Agents and Software Updates » OnGuard Settings » Policy Manager Zones) , so that it does not have any space.