Table of Contents
Advertisement
Installing a Clean Access Server High Availability Pair
You must use identical appliances (e.g. NAC-3350 and NAC-3350 or NAC-3315 and NAC-3315) in
Note
order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access
Servers (CASs).
CAS High Availability Overview
CAM-CAS communication and HA-CAM and/or HA-CAS peer communication can break down and
Caution
adversely affect network functionality when SSL certificates expire. Refer to the caveat CSCtb43264 in
Release Notes for Cisco NAC Appliance, Version
For more information, see the "HA Active-Active Situation Due to Expired SSL Certificates" section of
the
Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high
Note
availability.
The following key points provide a high-level overview of HA-CAS operation:
•
•
•
•
•
•
•
Cisco NAC Appliance Hardware Installation Guide
4-18
Cisco NAC Appliance - Clean Access Server Configuration Guide, Release
The Clean Access Server high-availability mode is an Active/Passive two-server configuration in
which a standby CAS machine acts as a backup to an active CAS machine.
The active CAS performs all tasks for the system. Since most of the CAS configuration is stored on
the CAM, when CAS failover occurs, the CAM pushes the configuration to the newly-active CAS.
If you use the Authorization feature in a CAS HA-pair, follow the guidelines in "Backing
Note
Up and Restoring CAM/CAS Authorization Settings" in the
Access Manager Configuration Guide, Release 4.8
duplicate your Authorization settings from one CAS to its high availability counterpart.
Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and
protect important data, like other system passwords. The master secret password needs to be the
same for a CAM-HA pair. Cisco recommends keeping very accurate records of assigned master
secret passwords to ensure that you are able to fail over to the HA peer CAM/CAS in HA
deployments. (HA-Secondary CAMs/CASs are not able to assume the "active" role following a
failover event when the master secret passwords are different.)
The standby CAS does not forward any packets between its interfaces.
The standby CAS monitors the health of the active CAS via heartbeat interface (serial and one or
more UDP interfaces). Heartbeat packets can be sent on the dedicated eth2 interface, dedicated eth3
interface, or eth0/eth1 interface (if no eth2 or eth3 interface is available).
The primary and secondary CAS machines exchange UDP heartbeat packets every 2 seconds. If the
heartbeat timer expires, stateful failover occurs.
In addition to heartbeat-based failover, the CAS also provides link-based failover based on eth0 or
eth1 link failure. The CAS sends ICMP ping packets to an external IP address via the eth0 and/or
eth1 interface. Failover will occur if only one CAS can ping the external addresses.
Chapter 4
Configuring High Availability (HA)
4.8.
Cisco NAC Appliance - Clean
to ensure you are able to exactly
4.8(3).
OL-20326-01
Hide quick links:
Advertisement
Table of Contents
