Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass issue on Microsoft Hyper-V

This thread has been viewed 5 times

  • 1.  ClearPass issue on Microsoft Hyper-V

    Posted Sep 01, 2017 10:55 AM

    Hey all, I ran into an interesting issue with deploying a ClearPass VA-5k on Hyper-V.  The Hyper-V version is 2012 R2, and the VA was deployed using the latest template downloaded from Aruba.

    The issue was that the VM would run for a few hours and then suddenly lose all network connectivity.  A reboot would restore it, again for about 5-6 hours, then it would disappear again.

    The Hyper-V administrator noticed a few things:  

    - the template is built using a very old Hyper-V version (2008 I believe).

    - the NICs are set to be "legacy" NICs

    - the driver for the Legacy NICs is very out-of-date

    Hyper-V Event Viewer gave us this warning:

    "Networking driver in CLEARPASS loaded but has a different version from the server. Server version 5.0  Client version 3.2 (Virtual machine ID 81A9D98D-595A-4295-9160-EA0E4C18DD95). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu."

     

    So, since there's no way to access the root shell in ClearPass, I won't be able to update the drivers.  

    What I did instead was remove the Legacy NICs, and replace them with the standard "Synthetic NIC".  ClearPass had no problem recognizing the new NICs and network connectivity was restored. 

    At this point I'll continute monitoring the appliances to see if this is a permanent fix, but thought I would put this out there for anyone else running ClearPass on Hyper-V.  Maybe Aruba / HPE should consider updating the template and drivers in their VA?



  • 2.  RE: ClearPass issue on Microsoft Hyper-V

    EMPLOYEE
    Posted Sep 05, 2017 10:59 AM

    Please open a case with Aruba TAC to troubleshoot. Network interfaces, especially in default configuration should not go down.

     

    Did you check the VM install Tech Note that is on the support website with the product download which has some hints as well on Hyper-V configuation?



  • 3.  RE: ClearPass issue on Microsoft Hyper-V

    Posted Sep 07, 2017 01:04 PM

    TAC was baffled by this.  I doubt that anyone in TAC has much experience with Hyper-V.  I know it's not very common in my install base.

    We installed it from the template downloaded from the Aruba site.  The Hyper-V admin noticed that the template was built on Hyper-V 2008.  The notes don't mention anything else regarding specific builds on Hyper-V except the system requirements (disk, CPU, RAM, etc.).



  • 4.  RE: ClearPass issue on Microsoft Hyper-V

    EMPLOYEE
    Posted Sep 08, 2017 05:57 AM

    The Installing or Upgrading ClearPass 6.6 on a Virtual Machine Technote, that is available here, does mention the supported Hyper-V versions as:

    - Microsoft Hyper-V Server 2012 R2
    - Microsoft Hyper-V Server 2016
    - Windows Server 2012 R2 with Hyper-V
    - Windows Server 2016 with Hyper-V



  • 5.  RE: ClearPass issue on Microsoft Hyper-V

    Posted Sep 15, 2017 04:04 AM

    I have a problem with hyper v nics going down. I couldn't get legacy ones to work at all and the nics that were set up in the hyper v installation didn't work.

     

    So I added another nic and it worked for about two weeks and then it failed.

     

    I turned off dynamically assigned mac address for the nic and put the original one back in as static and it has been online ever since. It appears the Hyper V changed the mac address of the nic - I assume clearpass wouldn't appeciate that?

     

    My experience seems to indicate that legacy is bad and that you should use a static mac address on the virtual nic when setting it up



  • 6.  RE: ClearPass issue on Microsoft Hyper-V

    Posted Nov 10, 2017 03:22 AM

    on a final note, the second node of the cluster went down after a reboot.

     

    Same thing, the nic wouldn't work after a reboot of the hyper V server.

     

    I updated the broadcom drivers (not good) and removed VMQ from the nic and hyper v (not necessary on a 1 gig nic anyway).

     

    Changing the clearpass nic with a static and not a dynamic mac address seemed to be main issue.

     

    But this was more complicated, as the clearpass server was set to boot automatically and the hyper V management tool would lock up, causing an inability to shut down the clearpass server and access the settings.

     

    in short.  Remove VMQ, don't use broadcom nics and set a static mac address in Hyper V instead of the default dynamic mac.



  • 7.  RE: ClearPass issue on Microsoft Hyper-V

    Posted May 05, 2018 03:23 AM

    I know this is older post but I had same issue with eval hyper V I was testing after I put intel NIC in the host didn't have anymore problems. I have built many VM's just seems like intel NICs work best for everything. 



  • 8.  RE: ClearPass issue on Microsoft Hyper-V

    Posted Sep 06, 2017 03:16 PM

    How did you change de NIC's? In Clearpas or Hyper-V?

    I have the same issue.



  • 9.  RE: ClearPass issue on Microsoft Hyper-V

    EMPLOYEE
    Posted Sep 07, 2017 06:59 AM

    You cannot change it in ClearPass, so it must be HyperV. But please open a TAC case if you experience this kind of stability issues with Aruba products. That will allow the problem to be fixed, and prevent others running into the same issues.



  • 10.  RE: ClearPass issue on Microsoft Hyper-V

    Posted Sep 07, 2017 01:06 PM

    I removed the legacy NICs and added the new ones in Hyper-V (shut down the VM and edit the settings).  It's been stable for a week now.