Authentication failed joining machine to cluster using CCS

chmeehan0421 · ‎02-14-2011

Hello,

I was following the below article while setting up a cluster containing two c360 appliances and ran into a issue at the final steps.

http://tinyurl.com/pjmpwh

I created the cluster just fine and added the first box to the main group. Then proceeded to run prepjoin to add the second machine

to the cluster via CCS and ran into an authentication failed error when trying to join the second box to the cluster.

Once I am shown the public key after specifying an IP of a clustered machine and the CCS port number (2222), I then am hit with authentication

failed.

Anyone have an idea? I have double checked host names, IP addresses, connectivity between the two, CCS enabled on both appliances by telneting to 2222...

Thanks.

Chris

Christopher Smith · ‎02-14-2011

Hi Chris,

I think your connectivity is probably ok if your able to resolve the host and telnet on port 2222 to each appliance. It sounds as if there may be an issue with the hostkey. You may want to first verify the keys by going to logconfig > hostkeyconfig > fingerprint. Check and make sure the key your being presented with matches the one listed on the remote appliance.

In the following section step 2 is critical and you will typically see a failure like you described if this gets mixed up some how. ( I have done it a few times myself :-) )

In order to join a cluster over CCS, you must first log in to a cluster member and tell it that this system is being added. On any machine in the cluster run:
clusterconfig > prepjoin > new
Copy the hostname, serial number, SSH key information in order to paste it into the 'prepjoin' prompt from above on the existing cluster member.
You will be prompted to start the Cluster Communication Service, which opens a new service over TCP port 2222 on the interface of your choice.
Enter the IP address of an existing cluster machine. This can be any cluster machine but must be referenced by IP, regardless of your communication preferences.
Select the port for CCS use as defined during cluster creation.
You are shown the public key for this host for confirmation. You can further verify this on any appliance in the cluster with the following commands:

logconfig > hostkeyconfig > fingerprint
NOTE: there will be another delay while the new member retrieves and applies the cluster configuration automatically

Christopher C Smith

CSE
Cisco IronPort Customer Support

chmeehan0421 · ‎02-15-2011

Chris,

Sorry, I forgot to mention that I did the prepjoin steps on an already clustered member, then verified the key and then joined the new appliance to the cluster. The rsa-dss keys did in fact match up just fine. Maybe a call to support is needed.

Thanks,

Chris

Christopher Smith · ‎02-15-2011

Hi Chris,

Your right it may be a bit easier to diagnose this with an engineer especially with tools like webex at our disposal. Sounds like its probably something simple but like they say a picture is worth a thousand words. Feel free to contact us here at support we will be more than happy to help with this issue and any other questions you may have.

Christopher C Smith

CSE

Cisco IronPort Customer Support

chmeehan0421 · ‎02-16-2011

Turns out that I did not commit my changes on the appliance that I ran prepjoin on that was already a cluster member. I'm assuming that this resulted in

the cluster not knowing about the new appliance joining.

I would also like to note the actual steps.

run prepjoin on cluster member.

add new member info

after messaged stating host added, hit enter twice to ensure you are back at <> then commit changes.

Thanks again to Martin at support.

Chris