cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
0
Helpful
7
Replies
Highlighted
Beginner

Cannot Add CAS to CAM

Hi, I have some problem adding NAC Server to NAC Manager. i'm using version 4.8.0. I have 1 NAC Manager and 2 NAC Server. The IP addresses for the server are 192.168.50.30/30 and 192.168.50.34/30. I have no problem adding 192.168.50.30 to the manager.For 192.168.50.34 server, I have to issue "service perfigo config" command before i add 192.168.50.34 to the manager. After adding the server success, i tried to reboot the manager and the server. After reboot, the manager cannot connect to 192.168.50.34. In the event log it said out-of-sync.

I have make sure this item below

- There is no different date and time between the NAC manager and 192.168.50.34

- The master secret is same

- I can ssh between The NAC manager and 192.168.50.34.

Is there any solution for this problem?

Do i have to issue "servico perfigo config" command before i add 192.168.50.34 server to The Manager?

7 REPLIES 7
Cisco Employee

Re: Cannot Add CAS to CAM

Hi Justinus,

In order to understand what is actually going on between the CAM and the CAS, I'd suggest to set all logging levels on the CAM to "TRACE", under

Administration > CCA manager > Support Logs

and also on the CAS, at https:///admin, under

Monitoring > Support Logs

Please be aware that changing the logging levels does not survive a reboot. So you may want to simply enable logging and try to manually re-add the CAS to the CAM.
As you recreate the issue, please take note of the time stamp, and then collect the following files on the CAM

/perfigo/control/tomcat/logs/nac_manager.log

and on the CAS

/perfigo/access/tomcat/logs/nac_server.log

If you'd like to attach those files here, we could take a first look at what is happening (please remember to mention the time stamp when the issue was recreated).
Also, please remember to set back the logging levels on the CAM/CAS to the original values, so not to overload the performances in the long run.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Beginner

Re: Cannot Add CAS to CAM

Hi Fede,

Thank you for your respon.

I will attach the log file that you asked. Is seven day log from 4 january 2011

Cisco Employee

Re: Cannot Add CAS to CAM

Hi Justinus,

In the CAS' logs I could see some messages from December 30th reporting the following:

2010-12-30 17:09:13.560 +0700 ERROR com.perfigo.wlan.ssl.SSLLog                        - SSLManager: server's certificate chain verification failed CN=192.168.50.34, OU=DEXA-NAC, O=DEXA-NAC, L=TANGGERANG, ST=TGR, C=ID:Certificate signature validation failed

Following from this, we may need to check that the CAM's server certificate is issues by a Root CA whose certificate is imported in the CAS and vice versa.

Also, could you please confirm that the CAS's server certificate has been successfully imported along with its corresponding private key?

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Beginner

Re: Cannot Add CAS to CAM

Hi Fede, for SSLCertificate problem, I have solved. Today

I tried to recreate the problem. So maybe you should see log file for this day 4 january 2011

Thanks b4

Cisco Employee

Re: Cannot Add CAS to CAM

Thank you Justinus,

From January 4th I could see the following on the CAM:

2011-01-04 14:36:47.377 +0700 [TP-Processor24] DEBUG com.perfigo.wlan.web.admin.ConnectorClient         - connect : Connect to <192.168.50.34:1099>

2011-01-04 14:36:47.644 +0700 [TP-Processor24] DEBUG com.perfigo.wlan.ssl.SSLLog                        - SSLManager: server's certificate chain verification ok ... CN=192.168.50.34, OU=DEXA-NAC, O=DEXA-NAC, L=TANGGERANG, ST=TGR, C=ID

2011-01-04 14:36:47.694 +0700 [TP-Processor24] DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETS_SIZE=2

2011-01-04 14:36:47.694 +0700 [TP-Processor24] DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETSE=[152aa7e[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=192.168.50.30/192.168.50.30,port=1099,localport=12668]], 93b910[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=192.168.50.34/192.168.50.34,port=1099,localport=18154]]]

2011-01-04 14:36:47.706 +0700 [TP-Processor24] ERROR com.perfigo.wlan.web.admin.ConnectorClient         - Communication Exception : Could not connect to the Clean Access Server localhost

2011-01-04 14:36:47.724 +0700 [TP-Processor24] ERROR com.perfigo.wlan.web.admin.SecureSmartManager      - Could not connect to 192.168.50.34

On the CAS we have:

2011-01-04 14:35:49.363 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - SSLManager: client's certificate chain verification ok ...CN=192.168.50.42, OU=DEXA-NAC, O=DEXA-NAC, L=TANGGERANG, ST=TGR, C=ID

2011-01-04 14:35:49.409 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:added socket:1059a9a[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/192.168.50.42,port=18154,localport=1099]]

2011-01-04 14:35:49.409 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETS_SIZE=1

2011-01-04 14:35:49.409 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETSE=[1059a9a[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/192.168.50.42,port=18154,localport=1099]]]

2011-01-04 14:36:04.426 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:removed socket:1059a9a[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/192.168.50.42,port=18154,localport=1099]]

2011-01-04 14:36:04.427 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETS_SIZE=0

2011-01-04 14:36:04.427 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETSE=[]

2011-01-04 14:36:04.427 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETS_SIZE=0

2011-01-04 14:36:04.427 +0700 DEBUG com.perfigo.wlan.ssl.SSLLog                        - RMISocketFactory:CACHED_SOCKETSE=[]

2011-01-04 14:36:08.736 +0700 TRACE com.perfigo.wlan.jmx.admin.FailSafeManager         - FailSafeManager is running:{0.85,0.3,[0:0:15]}:DETECT_INTERVAL=20:DETECT_TIME_OUT=300

2011-01-04 14:36:08.736 +0700 TRACE com.perfigo.wlan.jmx.admin.FailSafeManager         - FailSafeManager has nothing to do ...192.168.50.42:0:1

2011-01-04 14:36:08.736 +0700 TRACE com.perfigo.wlan.jmx.admin.FailSafeManager         - FailSafeManager is going to sleep: {0.85,0.3,[0:0:0]} delay=20000

Not too much to tell what could be the issue...

Are you running the two CAS's in HA by any chance?

Also, is the CAM part of an HA pair too?

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Beginner

Re: Cannot Add CAS to CAM

Hi, Fede.

I haven't checked the HA Configuration yet. Since i Upgrade from 4.1.3 - 4.7.0 - 4.8.0. I never touch HA configuration in CAM either in CAS. But There is something that i want to ask. First time i add CAS after "service perfigo config" i have to ping that CAS server from core until "in-sync" in event log. If i don't ping from core, the CAM event log will get "out-of-sync" and then get "disconnected". Is that normal ?

Thanks

Cisco Employee

Re: Cannot Add CAS to CAM

Hi Justinus,

What you are describing should not in fact be the expected behavior.
After a reboot, the CAS should be able to automatically reconnect with the CAM and re-sync, if at least one previous synchronization was successful.

We may be looking into issues with the HA pairs, in case the database replication from one CAS to the other does not fully succeed.
Could you please confirm the output of the following commands from both the CAS' in the HA pair?

1. For each one of the two servers, please SSH to it.

2. Please change directory to /etc/ha.d/ and then issue the command "more perfigo.conf".
This should display the network configuration of the CAS.

3. Now still from the same /etc/ha.d/ directory please issue the command "more ha.cf".
This should show us the HA configuration of each CAS.

4. As a last step please change directory to /perfigo/common/bin/ and then issue the command "./fostate.sh".

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.