High Availability Failure on NAC 3310 CAS

Tochukwu Iwuora · ‎12-21-2011

Hi All,

Please I need your help.

Yesterday I discovered the primary and secondary CAS were both in active state and reporting their fellow peer as dead (I did this using ./fostate.sh), causing authentication errors on the network. I had to stop the perfigo process on the primary one to restore service.

After closer investigation I have discovered that when I put my laptop on the same subnet as their eth2 interfaces (eth0, eth1 and serial are not used for heartbeat only eth2), I can ping the eth2 ip address for the primary device, but can't ping that of the secondary device. See configs and outputs below. I am also wondering why the secondary CAS shows its eth0 and eth1 interfaces as fake0 and fake1. Any help will be highly appreciated. Thanks

[root@CAS-SEC ~]# ifconfig eth2

eth2 Link encap:Ethernet HWaddr 00:1F:29:5D:1C:6C

inet addr:172.29.254.10 Bcast:172.29.254.11 Mask:255.255.255.252

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:11205 errors:0 dropped:0 overruns:0 frame:0

TX packets:1445 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:1237137 (1.1 MiB) TX bytes:243730 (238.0 KiB)

Memory:dc220000-dc240000

[root@CAS-PRI ~]# ifconfig eth2

eth2 Link encap:Ethernet HWaddr 00:1F:29:5D:41:06

inet addr:172.29.254.9 Bcast:172.29.254.11 Mask:255.255.255.252

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1889 errors:0 dropped:0 overruns:0 frame:0

TX packets:11028 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:297308 (290.3 KiB) TX bytes:1200820 (1.1 MiB)

Memory:dc220000-dc240000

[root@CAS-SEC ~]# netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

172.29.254.8 0.0.0.0 255.255.255.252 U 0 0 0 eth2

xx.xx.xx.xx 0.0.0.0 255.255.255.248 U 0 0 0 fake1

xx.xx.xx.xx 0.0.0.0 255.255.255.248 U 0 0 0 fake0

0.0.0.0 xx.xx.xx.xx 0.0.0.0 UG 0 0 0 fake0

[root@CAS-PRI ~]# netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

172.29.254.8 0.0.0.0 255.255.255.252 U 0 0 0 eth2

xx.xx.xx.xx 0.0.0.0 255.255.255.248 U 0 0 0 eth1

xx.xx.xx.xx 0.0.0.0 255.255.255.248 U 0 0 0 eth0

0.0.0.0 xx.xx.xx.xx 0.0.0.0 UG 0 0 0 eth0

Tochukwu Iwuora · ‎12-22-2011

Hi All,

Please any advise will be appreciated.

I have noticed a discrepancy in the output of 'more perfigo.conf' on both machines. The one that I can't ping its eth2 has

PEERGUSSK=00_1F_29_71_9D_06_00_1F_29_71_9D_07, while the other has PEERGUSSK=. Does anyone know what this means.

Also checking the /var/log/ha-log of the same I appliance I can't ping all I see is

ERROR: Unable to send [-1] ucast packet: No such process

Thanks for any information.

Tochukwu Iwuora · ‎12-22-2011

Hi All,

Making some progress now.

I have noticed that when I change the IP addresses on the eth2 of both CAS, the devices can ping each other.

I plan to schedule a maintenance window to configured the high-availability using a new subnet for the eth2 hearbeat.

Regards.....