Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

James Smith

NAC cas HA issue

G'day guys,

I have a pair of CAS that I am trying to HA up, but I am running into a bit of drama. I have followed the HA configuration section in the Appliance Hardware installation document to the letter, but it just isn't hooking up as it should.

Both servers are 3355s, I am setting up the heartbeat over the eth2 interface as a straight layer 2 connection. If both servers are set as standalone in the failover section of the gui, I am able to ping the heartbeat interface address of each of the servers from each other. Once I configure the primary cas as per the appliance installation guide, I am not able to ping the eth2 heartbeat address of the primary from the other server. Once I complete the secondary HA setup, I can run tcpdump from the server cli on the eth2 interface and I can see the 2 heartbeat interfaces requesting and responding to arp requests from each other successfully. I also see an number of isakmp exchanges between the 2 servers, then I see another set of arp requests. This process of successful arp requests - isakmp exchange, successful arp requests - isakmp exchanges continually runs. But the servers never HA up. The Primary reports that the Secondary is dead, the secondary states that the primary is dead, and they battle it out on the CAM and usually the secondary wins out and connects up as the active CAS on the CAM.

I am going to capture the tcpdump and upload here, as well as set the support logs on the servers to TRACE and upload here as well.

I just wanted to post up now to get a start on asking for some help, and I will get on the logs and captures in a few hours when I have access again to the kit.

It may or may not be relevant, but the CAS are connected to a vss 6500, the primary CAS on switch 1 and the secondary CAS on switch 2 of the vss pair.

Any and all assistance is greatly greatly appreciated.


James Smith

G'day again,

So the below output is the tcpdump of the eth2 interface on the CAS primary that I reference in my first post:

21:50:44.724785 arp who-has tell

21:50:44.724873 arp reply is-at e4:1f:13:34:93:80 (oui Unknown)

21:50:47.725580 IP > isakmp: phase 2/others R oakley-quick[E]

21:50:49.725339 IP > isakmp: phase 1 I ident[E]

21:50:49.725419 IP > isakmp: phase 1 R ident[E]

21:50:49.726296 IP > isakmp: phase 2/others I inf[E]

21:50:59.735862 IP > isakmp: phase 2/others R oakley-quick[E]

21:50:59.736085 IP > isakmp: phase 1 I ident[E]

21:50:59.736164 IP > isakmp: phase 1 R ident[E]

21:50:59.737023 IP > isakmp: phase 2/others I inf[E]

21:51:09.735965 IP > isakmp: phase 2/others R oakley-quick[E]

21:51:09.736139 IP > isakmp: phase 2/others I inf

21:51:14.735574 arp who-has tell

21:51:14.735663 arp reply is-at e4:1f:13:34:93:80 (oui Unknown)

I've got the trace logs from both CAS's which I will upload shortly.

I am hoping someone is able to provide some insight to these issues.



Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube