cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7296
Views
0
Helpful
12
Replies

NAC Agent reports "Clean Access Server is unavailable on the network. Please contact your administrator."

Ben.Levin
Level 1
Level 1

I've been working with the TAC on this issue but thought I'd throw this out there in case anyone else has seen it. We're using NAC VPN SSO with our IPsec and SSL VPN clients.  Most of our users do not have a problem, but recently we've had a small number of users who report that the NAC agent checking starts, runs for a few minutes, and then the agent reports the error "Clean Access Server is unavailable on the network. Please contact your administrator."  From a CAM perspective, we see the user logged into the temporary role, but then they seem to get stuck there and not get logged into the regular role.

We're running NAC 4.7.2, and the XP laptops with the problem are checked for a registry key, AV and Windows patches via WSUS. Our current agent version is 4.7.2.10.

Thanks for any input you might have.

12 Replies 12

Faisal Sehbai
Level 7
Level 7

Ben,

Are you doing accounting to ACS servers also for your VPN users? If so, can you disable that to see if that makes a difference.

HTH,

Faisal

The accounting is set to NAC, and then NAC sends the accounting to ACS.  Should that make a difference?

Ben,

I've seen cases where if the ACS/NAC traffic was impacted for whatever reason, the whole authentication would fail. For test, could you disable the mapping between your ACS and NAC and see if you're still seeing those timeouts?

Thanks,

Faisal

csmgdswafford
Level 1
Level 1

Hey Ben,

That issue is caused by Microsoft's Internet Explorer browser going into Work Offline Mode.  It's kind of a bug w/ the pre 4.8 releases of NAC, though not publicly communicated.  The NAC agent is using an IE API to perform it's SSL work and if IE is open and trying to refresh during the login process, then IE goes into offline mode automtically.  The workaround is to have the user disable offline mode in IE, and close out teh NAC error message.  It typically fixes it within a few seconds and NAC authenticates normally.

4.8 of the client adds code to take IE out of offline mode during it's authentication process btw.

David Swafford, Network Engineer, CareSource

Cisco Certified Network Professional  |  Cisco NAC Specialist  |  EC-Council Certified Ethical Hacker

David-

Interesting.  If we were to install the 4.8 agent, would this fix the problem, or would we have to upgrade our managers and servers as well? I have plans to upgrade everything to 4.8 but haven't had a chance yet.  I'll try the 4.8 agent on some computers to see how that goes.

Thanks!

-Ben

Good question!  Even though the release notes for 4.8 state that you can run 4.7.x servers w/ the 4.8 client, DO NOT DO IT.  We rolled out the new

agent to a pilot group of about 40 users in preparartion of moving the servers down the road and it bombed for our test group (our servers are 4.7.2).  TAC confirmed that this is known to cause issues due to a new feature added in the 4.8 client called Passive Reassessment.  The users get an error stting "Operating System not supported" intermittently (like 2 out of every 5 authentications) and they are unable to authenticate.

So for now if you move to 4.8 you need to do it all in one shot.   Oh and btw, if you need help from TAC, try your hardest to open the case during the morning (EST) so you can get the RTP, NC group.  They seem to be the most knowledgeable.

David Swafford, Network Engineer, CareSource

Cisco Certified Network Professional  |  Cisco NAC Specialist  |  EC-Council Certified Ethical Hacker

This still happens with the 4.8 code on the CAM/CAS and the new agent :-(.  Looks like the bug is not fixed yet.

Nice.  Thanks for posting becuase that's good to know.  We had started a 4.8 move but backed off due to new bugs w/ the client.


David.

Is there a definite bug on this?  Glad to know I'm not the only one having the problem. Thanks.

I don't think a bug ID was given... I'll pull up my TAC case history, might be a while though, I've lot like 60-80 NAC related cases, lol.

David.

Thanks. I'd give my right arm for this to be a "genuine" Cisco bug.  I've spent countless hours troubleshooting the problem and I'm not really any closer to finding a solution.

I found it, it was described in TAC Case 614237013 w/ Nate Austin from RTP's AAA TAC.  Bug ID # CSCta39899.  Excerpts from the TAC case are below.

David Swafford.

=============================================================

Subject: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly

Hi David,

My name is Nate Austin with Cisco TAC and I just accepted ownership of
your SR regarding NAC Appliance.

Looking at the logs I can see two way communication with the CAS so we
know it can reach it IP-wise. All the swiss communication is successful,
but it appears the HTTPS requests are the ones that are failing.

I have seen a couple things cause this:

1) Personal firewall blocking ports from CCA Agent.
2) More common - We use the same libraries as IE does for making HTTP
calls - If IE Offline Mode is enabled, this will cause the agent to
fail. Can you check in IE (especially if Firefox or Chrome are the users
default browser because they'd never check IE) and see if Offline Mode
is enabled. If so, disable it and try again?

Thanks,

Nate

=============================================================

Subject: Re: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly

Sounds good.

FYI, if this does end up being the problem, there was a bug filed on
this CSCta39899, and in the 4.8 agent the agent will disable Offline
mode and re-enable it after it logs in.

Thanks,

Nate

Nathaniel Austin                        Cisco Systems
Customer Support Engineer               Research Triangle Park, NC

Review Cisco Networking for a $25 gift card