Hi
I agree with the answers from ahollifield, your problem is related to the latency.
A few years ago I had a customer with cluster nodes in London and New York. Due to VPN tunnels we had an issue with latency between the sites and sometimes got really poor performance. If the subscriber is out of sync for a long time, more than 24 hours, the syncronization will not re-establish automatically.
In that case you have to drop the subscriber from the cluster and join again.
The subscriber will continue to authenticate clients locally, but will not get any new configuration. As mentioned in this situation the function will be limited in the same way as if the Publisher is down.
For global deployments of ClearPass multiple clusters are usually the best solution.
You have an option to utilize the ClearPass Syncronization Service to replicate configuration data between multiple clusters. But this service have a quite high price tag, so I would only use it in very special cases.
I evaluated this service for one of my customers with multiple ClearPass clusters and in total about 15 servers, but found the price tag to high.
------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Nov 10, 2022 01:41 PM
From: Scott Skalny
Subject: ClearPass Publisher-Subscriber HA Best Practice
My current architecture is as follows:
- Publisher in AWS US-East VPC
- Subscriber in Boston, MA
- Subscriber in Dublin, Ireland
- (new) Subscriber in Singapore
We have additional plans for subscribers in various regions, and a standby Publisher somewhere else in the world. However, upon adding the Singapore appliance to the cluster I've noticed that it's consistently "Out of Sync". I opened a TAC case and they've pointed to the following documentation: