cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1622
Views
5
Helpful
6
Replies

Nac Service perfigo wont start

corneliusaryono
Level 1
Level 1

Hi Guys,

i just want to know how to stop Disk Watch in NAC, because when i was trying to start perfigo, it will appear

"Disk Watch Manager is already running.  Please stop it before starting."

Thanks

6 Replies 6

Robert Salazar
Cisco Employee
Cisco Employee

Is this a new appliance or was this working previously?

Is this part of an HA setup or is it standalone?

If HA, have you tried:

-stopping perfigo on the active/working node

-starting perfigo on the server in question

-if that comes up, restart perfigo on the other node.

Hi Robert

this appliance has working previously with HA.

I restarted perfigo service at the same time both active/standby because ADSSO service suddenly stopped.

The active appliance restart normally, but service perfigo on standby unit wont start and gave me this result :

[root@xxx ~]# service perfigo start

Disk Watch Manager is already running.  Please stop it before starting.

Starting High-Availability services:

[  OK  ]

Please wait while bringing up service IP.

Heartbeat service is running.

Service IP [10.xx.x.x] is not on peer or the Heartbeat link is broken.

Stopping High-Availability services:

[  OK  ]

Please check IP configuration and Heartbeat link.

Starting manager in administrative mode.

i tried to restart standby unit with or without HA connected, but same result as above, i think its because i must stop disk watch manager first before i start the perfigo

any advise how?

thanks

Please Helppp

I've seen in the past where the issue was specific to HA configuration.

You may want to check if the certs are valid or installed properly on the HA pair.

You may want to look at the output of the /var/log/messages to see if there's anything related to the ipsec issues for the heartbeat link.

Hi Robert,

You're right, its cert HA issue i think, from log, i got this :

Jan 16 07:51:54 nacnam02 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/CN=company Issuing CA

Jan 16 07:51:54 nacnam02 racoon: WARNING: unable to get certificate CRL(3) at depth:2 SubjectName:/O=company Group/CN=company Root CA

Jan 16 07:51:54 nacnam02 racoon: INFO: ISAKMP-SA established 192.168.0.254[500]-192.168.0.253[500] spi:b1e9b22a08f32f24:3a7298fc6bf2c213

Jan 16 07:51:54 nacnam02 racoon: ERROR: ignore information because the message is too short

Jan 16 07:52:04 nacnam02 racoon: NOTIFY: the packet is retransmitted by 192.168.0.253[500].

I couldn't ping another HA from this appliance because of cert invalid.

The question is, how can i upload cert to this appliance via ssh ?

I figured it out the issue because of SSL Cert.

So with winscp i copy paste /root/perfigo from active NAC into this appliance, then reboot and everything running normal now.

thx