Bingo. I just worked with TAC via a web meeting and this is exactly what
was wrong. My untrusted and trusted side service IPs were, in fact,
different.
On 5/13/08 8:48 AM, "David Pifer" <[log in to unmask]> wrote:
> I just had a TAC case on this same issue after upgrading the system from
> 4.1.1 to 4.1.3.1. Turns out that if you have the IP the same on both
> interfaces and you are running in HA Failover mode you have to go to the
> CAS config page and set the ip address of the Trusted and untrusted side
> to the same service ip address. It wont start the service ports and will
> behave exactly like you say. We set this and rebooted and suddenly life
> was happy.
>
>
> David L. Pifer - N9YNF - CCNA
> Network Engineering Services
> Indiana State University, Office of Information Technology
> 210 N. 7th St., Rankin Hall R044, Terre Haute, IN 47809
> 812.237.2923 office 812.237.4361 fax
>
>
>>>> "Stempien, Dave" <[log in to unmask]> 5/13/2008 07:57
>>>>
> The switch is configured as a managed device, and the CAM and CAS are
> on
> different subnets.
>
> I am able to authenticate via a web browser by opening up the IP
> address of
> the CAS manually, and everything else seems to work as expected (switch
> port
> VLAN reconfiguration/bounce/etc.) The web redirection isn't happening,
> nor
> is the client automatically popping up. Via tcpdump, I'm seeing the
> SWISS
> packets arriving on the untrusted interface of the CAS.
>
> Still stumped...
>
> On 5/13/08 7:37 AM, "Northcutt, Kevin A. (Information Services)"
> <[log in to unmask]> wrote:
>
>> Are they all on different subnets?
>>
>> -----Original Message-----
>> From: Cisco Clean Access Users and Administrators
>> [mailto:[log in to unmask]] On Behalf Of Osborne, Bruce
> W.
>> (NS)
>> Sent: Thursday, May 08, 2008 4:25 PM
>> To: [log in to unmask]
>> Subject: Re: L2 OOB Virtual Gateway Configuration Problem
>>
>> Have you configured your switch as a managed device?
>>
>> -----Original Message-----
>> From: Cisco Clean Access Users and Administrators
>> [mailto:[log in to unmask]] On Behalf Of David Stempien
>> Sent: Thursday, May 08, 2008 4:14 PM
>> To: [log in to unmask]
>> Subject: [CLEANACCESS] L2 OOB Virtual Gateway Configuration Problem
>>
>> I have exhausted my troubleshooting options for what should be a
>> simple configuration. I am trying to add a new CAS as a L2 OOB
>> Virtual Gateway. I've configured L2 IB Virtual Gateways many times
>> with no problem. It appears the configuration in OOB mode is very
>> similar to the IB. Here's what I've done:
>>
>> - Added CAS to CAM as L2 OOB Virtual Gateway
>> - Under managed subnet, added IP for untrusted VLAN
>> - Configured VLAN Mapping for untrusted -> trusted VLANs
>>
>> DHCP passthrough works just fine. I can do everything on my test
> host
>> as permitted by my Unauthenticated Role. On my test host, I even
> have
>> ARP resolution for the managed subnet IP on the CAS.
>>
>> For the life of me, I can't figure out why the agent is not popping
> up
>> or why web page redirection isn't happening. It's almost as if the
>> CAS is not seeing my host traffic, or maybe it's just ignoring it.
> I
>> find that hard to accept given my observations in the previous
>> paragraph.
>>
>> Is there something special about the OOB configuration that I may
> have
>> overlooked?
>>
>> Thanks in advance for any advice!
>>
>> --
>> Dave Stempien, Network Security Engineer
>> University of Rochester Medical Center
>> Information Systems Division
>> (585) 784-2427
>
|