Cisco NAC3350-PROF-K9 - NAC Profiler Server Installation Manual page 150

Installing a Clean Access Server High Availability Pair
Note
Link-detect Timeout (seconds): This configures the length of time the CAS attempts to ping the
•
Trusted-side and/or Untrusted-side Link-detect IP address(es). Cisco recommends entering a time
of at least 26 seconds. If the CAS cannot ping the node for the period of time specified, the node is
not pingable.
Note
Note
[Primary] Local Host Name: This is filled in by default for the HA-Primary CAS, as configured
•
under Administration > Network Settings > DNS | Host Name ("rjcas_1" in
[Primary] Local Serial No: Filled in by default for the HA-Primary CAS. The local serial number
•
identifies this CAS to the Clean Access Manager (and is composed of eth0/eth1 MAC addresses).
In an HA-CAS pair, the serial number of the Primary CAS is the key used to associate all the
configuration information specific to this CAS in the CAM database.
[Primary] Local MAC Address (trusted-side interface): Filled in by default; the MAC address of
•
the eth0 interface for the HA-Primary CAS.
Cisco NAC Appliance Hardware Installation Guide
4-30
If your network topology restricts Link-detect functionality between your CAS HA pair
appliances, you can also use the /etc/ha.d/linkdetect.conf file to enforce Link-detect behavior
on your eth0 and/or eth1 interfaces. See
In addition to UDP Interface configuration, you can optionally configure the CAS to respond to
link failures on the trusted and/or untrusted sides as failover events. The CAS attempts to ping
the trusted and/or untrusted link-detect addresses specified, then counts the number of nodes it
can reach:
0-for no addresses
1-for either trusted/untrusted
2-for both trusted/untrusted
If the Standby CAS can reach more nodes than the Active CAS, the Standby CAS will take over
and become the Active CAS. If both CASs can ping the same number of addresses (all addresses
or only one address), no failover event occurs, since neither CAS has the advantage. To enable
link-detect, enter at least one link-detect IP address on each CAS and a link-detect timeout. See
also Choosing External IPs for Link-Based Failover, page 4-22
The standby CAS may still receive heartbeat packets from the active CAS via other available
heartbeat interfaces (serial or eth2, for example) even though its eth0 and/or eth1 interface goes
down. If the standby CAS relies only on heartbeat timers for stateful failover, the standby CAS
would never assume the active role even though the active CAS becomes unable to perform its
primary function. With link-based failover configured, the active and standby CAS exchange
eth0 and eth1 status via the heartbeat interface, so if one of those two interfaces go down, the
standby CAS can still assume the active role even if the heartbeat from the active CAS does not
trigger a failover event.
The CAS performs Heartbeat connection and (optionally) Link-detect according to the same
interval, approximately every 1-2 seconds.
Chapter 4
Link-Detect Interfaces, page 4-45
for further details.
Configuring High Availability (HA)
for more details.
Figure 4-12).
OL-20326-01