Bingo.  I just worked with TAC via a web meeting and this is exactly what

was wrong.  My untrusted and trusted side service IPs were, in fact,

different.



On 5/13/08 8:48 AM, "David Pifer" <[log in to unmask]> wrote:



> I just had a TAC case on this same issue after upgrading the system from

> 4.1.1 to 4.1.3.1. Turns out that if you have the  IP the same on both

> interfaces and you are running in HA Failover mode you have to go to the

> CAS config page and set the ip address of the Trusted and untrusted side

> to the same service ip address. It wont start the service ports and will

> behave exactly like you say. We set this and rebooted and suddenly life

> was happy.

>  

> 

> David L. Pifer - N9YNF - CCNA

> Network Engineering Services

> Indiana State University, Office of Information Technology

> 210 N. 7th St., Rankin Hall R044, Terre Haute, IN 47809

> 812.237.2923 office  812.237.4361 fax

> 

> 

>>>> "Stempien, Dave" <[log in to unmask]> 5/13/2008 07:57

>>>> 

> The switch is configured as a managed device, and the CAM and CAS are

> on

> different subnets.

> 

> I am able to authenticate via a web browser by opening up the IP

> address of

> the CAS manually, and everything else seems to work as expected (switch

> port

> VLAN reconfiguration/bounce/etc.)  The web redirection isn't happening,

> nor

> is the client automatically popping up.  Via tcpdump, I'm seeing the

> SWISS

> packets arriving on the untrusted interface of the CAS.

> 

> Still stumped...

> 

> On 5/13/08 7:37 AM, "Northcutt, Kevin A. (Information Services)"

> <[log in to unmask]> wrote:

> 

>> Are they all on different subnets?

>> 

>> -----Original Message-----

>> From: Cisco Clean Access Users and Administrators

>> [mailto:[log in to unmask]] On Behalf Of Osborne, Bruce

> W.

>> (NS)

>> Sent: Thursday, May 08, 2008 4:25 PM

>> To: [log in to unmask]

>> Subject: Re: L2 OOB Virtual Gateway Configuration Problem

>> 

>> Have you configured your switch as a managed device?

>> 

>> -----Original Message-----

>> From: Cisco Clean Access Users and Administrators

>> [mailto:[log in to unmask]] On Behalf Of David Stempien

>> Sent: Thursday, May 08, 2008 4:14 PM

>> To: [log in to unmask]

>> Subject: [CLEANACCESS] L2 OOB Virtual Gateway Configuration Problem

>> 

>> I have exhausted my troubleshooting options for what should be a

>> simple configuration.  I am trying to add a new CAS as a L2 OOB

>> Virtual Gateway.  I've configured L2 IB Virtual Gateways many times

>> with no problem.  It appears the configuration in OOB mode is very

>> similar to the IB.  Here's what I've done:

>> 

>> - Added CAS to CAM as L2 OOB Virtual Gateway

>> - Under managed subnet, added IP for untrusted VLAN

>> - Configured VLAN Mapping for untrusted -> trusted VLANs

>> 

>> DHCP passthrough works just fine.  I can do everything on my test

> host

>> as permitted by my Unauthenticated Role.  On my test host, I even

> have

>> ARP resolution for the managed subnet IP on the CAS.

>> 

>> For the life of me, I can't figure out why the agent is not popping

> up

>> or why web page redirection isn't happening.  It's almost as if the

>> CAS is not seeing my host traffic, or maybe it's just ignoring it.

> I

>> find that hard to accept given my observations in the previous

>> paragraph.

>> 

>> Is there something special about the OOB configuration that I may

> have

>> overlooked?

>> 

>> Thanks in advance for any advice!

>> 

>> --

>> Dave Stempien, Network Security Engineer

>> University of Rochester Medical Center

>> Information Systems Division

>> (585) 784-2427

>