Security

doing some testing with clearpass cluster (version 6.3) and had a subscriber down for over 1 day. in the logging i noticed it went to status disabled after some time. now i started the subscriber again and was wondering if i can get it in the cluster without a drop / rejoin. checked the GUI, CLI and manual but can't find a hint.

 

the whole idea of node disabled status makes me believe i can enable it somehow, is that true or is drop and rejoin the only thing to do?

When subscriber (configured as Designated Standby) went out of sync, you may have noticed that Publisher marks the node as disabled / cluster sync status is disabled.

 

In such a situation, please use the below steps:

1.     On a subscriber node (configured as Designated Standby), if needed take a logdb backup.

2.     Perform a "cluster reset-database" (easily done in CLI)

3.     Perform “Make-Subscriber” operation to join back into cluster (using either UI / CLI).

4.     After the node is joined as subscriber, check if VIP Service is running on the new subscriber. If stopped, please start the same.

5.     This will succeed and High Availability features like VIP and Publisher Standby configurations are restored on this Subscriber node.

 

Note: In the above steps, you need not drop any of the high availability features before joining the out of sync/disabled Designated standby into cluster. This way, time spent in getting back the out of sync subscriber node (or designated standby) back in action, is much lesser.

thanks Seth, if that the way it is, i will go that route.

hey Seth i tried your stept but it seems to fail, the old subscriber is reset and rejoins but the then it remains out of sync and this increases with every attempt. should it have worked in 6.3?

Depending on resources it may take a while for it to come up active.

Make sure you

1. remove the VIP
2. do force drop on the publisher to make sure it is no longer showing on the dash board.
3. Do a db reset on the sub
4. I usually do a reboot on the sub after
5. In the cli do a sub join.

I've done quite a few tests and at a few sites it took awhile with a large database and or a Eval VM that is running on a min resources.

I can attest, that this worked in 2022 on 6.10. I've been working with TAC for several days to no avail. Using cli vs gui was the trick!

------------------------------
Davion Washington
------------------------------

Original Message:
Sent: Aug 26, 2014 05:01 AM
From: Troy Arnold
Subject: clearpass cluster status Node Disabled, how to recover?

Depending on resources it may take a while for it to come up active.

Make sure you

1. remove the VIP
2. do force drop on the publisher to make sure it is no longer showing on the dash board.
3. Do a db reset on the sub
4. I usually do a reboot on the sub after
5. In the cli do a sub join.

I've done quite a few tests and at a few sites it took awhile with a large database and or a Eval VM that is running on a min resources.

And this was a lifesaver. As a result of this I managed to rebuild my CPPM cluster after a disastrous atempt at using theweb based upgrade utility

 

Hi!

Before trying to completely remove and add the server agains to the cluster, I'm trying to do a simple rejoin, but I'm gertting the message 'Replication status is not disabled.' but the cpass-replication service is stopped on the Subscriber. Can anyone help me with this?

Thanks in advance.

Original Message:
Sent: May 27, 2015 11:18 AM
From: alexatyork
Subject: clearpass cluster status Node Disabled, how to recover?

And this was a lifesaver. As a result of this I managed to rebuild my CPPM cluster after a disastrous atempt at using theweb based upgrade utility