Cisco NAC server hang issue

Hi All Cisco NAC Experts, I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
The CAS server was recovered after manually power cycle the hardware.
After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
That will be great if any one can help me out for the same.
Thanks,
Eric

Hi Bro
This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
If all else fail, then a hardware swap would seem like the next best thing.

Similar Messages

Cisco NAC Server

Hello! Help me please!
Im perform installation Cisco NAC Server 3315 ver. 4.8(2) but after that I cann't connect to Server by https - HTTP 403 Forbidden. And I can connect to NAC Server by ssh.
What could be the reason?

While rebooting , i am getting this:
Starting nc_drivers: /dev/nfastpci0
[ OK ]
Starting nc_hardserver: waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
nCipher server did not start; see /opt/nfast/log/hardserver.log
[FAILED]
Starting sshd:WARNING: initlog is deprecated and will be removed in a future release
key_load_private_pem: RSA_blinding_on failed
Could not load host key: /root/.perfigo/sec/tomcat.key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
[FAILED]
Starting xinetd: [ OK ]
Starting console mouse services: [ OK ]
Starting nessusd: Loading the Nessus plugins...
All plugins loaded
[ OK ]
Starting crond: [ OK ]
Starting anacron: [ OK ]
Starting atd: [ OK ]
Starting jexec: Starting jexec services[ OK ]
Starting Ncipher services
-- Running startup script 45drivers
-- Running startup script 46exard
-- Running startup script 50hardserver
waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
waiting for nCipher server to become operational ...
nCipher server did not start; see /opt/nfast/log/hardserver.log
Starting perfigo: click: starting router thread pid 2092 (f7b7d340)
Failed execute command : CONNECTFORCE, Error : Connection refused
BaseAgent process reconnecting...
Failed execute command : ACTIVE, Error : Connection refused
BaseAgent executes [ACTIVE] ...
Link Detect Manager only operates when HA is enabled.
NFastApp_Connect failed: ServerNotRunning
And then in the hardserver log I am getting nCipher card not in operational mode. Please change the settings on the card.
How to resolve the issue.
Thanks
Shalvi Yadav

Cisco NAC Server eth0 fails communication when connected to trunking switchport

NAC deployment is L2 OOB Virtual-Gateway-Mode
When our CAS eth0 is connected to a trunk port, the port will chage to a connected state but we are unable to ping the CAS from the CAM or from switch connected to the CAS. Our CAM is on vlan 32 and the cas is on VLAN 60. Below is the config for the port connecting the CAS. The CAS managment ip is assigned to vlan 60.The switch is a 6509. Blade 2 only supports dot1q so we do not need to set encapsolation type for this switchport.
interface GigabitEthernet2/39
description Trust eth0
no ip address
switchport
switchport trunk native vlan 998
switchport trunk allowed vlan 33,34,40,60
switchport mode trunk
end
If we disable trunking and switch the port to access vlan 60 we are able to communicate with the CAS. Has anyone ran in to this when deploying NAC?
If so, how was the issue resolved?

I have the same issue. But it gets even stranger; I had the CAM/CAS working in a test LAN enviroment, got the AD SSO to work by appllying VLANs based on AD group membership of the user logging on. Client was pleased.
Move the two NAC devices to their location and reloaded clean both CAM & CAS from CD, did the same configuration and now eth0 (Trusted) can't see the AD domain controller but can see the CAM. I ran nslookup on the CAS to test the network settings and the result is no server found - the DNS server is the AD domain controller.

Question about cisco nac agent

When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
Please answer me early. Thank you for your answer.

Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
1) You have to decide which vulnerabilities you want to scan for.
2) The more plug-ins you enable, the longer (obviously) the scan takes.
3) There are configuration steps for many of the plug-ins
4) Your users will still need to go to a login page in order to be scanned.
5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

Enterprise Suite / WebSphere / Server Hang

Hello everyone,
We are running the entire Enterprise Suite v5.02 (portal, content, collab., studio, etc.) on a single machine.
This is a development environment with very low concurrency (1 to 3 developers max). The server has 2.5 GB of RAM and 2 PIII 1.266 GHz processors. I have been told that this should be sufficient to support our small dev. team.
We have had problems with the server occasionally (a couple of time per week) entering a "hung" state. It hangs to the point that we actually need to power off the machine. This is very troubling. This began happening with v5.01 and continues after the upgrade to v5.02.
We are running all of the Plumtree EARs on WebSphere 4.07. Each EAR is hosted on its own application server.
Our W2K admins have noted that there are quite a few java processes (java.exe) running. This is true since each application server runs in its own java process.
Is it necessary to run each EAR on its own application server on this single WebSphere node? I would like to consolidate the EARs onto fewer application servers if possible but have been told that not all of the Enterprise Suite applications play nicely together. Does anyone have any experience in this area?
Any advice is much appreciated. We don't really know what is causing the "hung" state and we cannot recreate it but it only happens when someone is actively using the portal.
Thanks,Justin Robbins

Gerald,
Thanks much for the information.
Based on your comments, is it fair to say that yes we can consolidate onto fewer application servers but it doesn't sound like this is the root of our server "hang" issue?
Unfortunately, we are hitting a dead end here. We have pursued this with both Plumtree and WebSphere support and neither has found any glaring problems that may account for the issue. Granted, the fact that the box completely freezes and needs to be powered off makes it difficult to troubleshoot.
Is it hardware, OS, WebSphere, or Plumtree software? The only thing we can say for sure is that the box is only being used for portal and the box only hangs when someone is actually hitting the portal through the browser. Too bad we can't easily recreate it.
Any ideas are appreciated.
Thanks,Justin

Cisco NAC Guest Server and shellshock

Hello,
We are running NAC server v2.0.2 and would like to know if it's vulnerable to shellshock as the bug report CSCur05629 isn't clear on this.

Well you will need to use a 3rd party certificate.. Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Here is a link for the NGS:
http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems. So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

NAC guest server hangs and guest portal is not working

Hi all ,
Our guest nac server NAC3315 is oftenly getting hung state . And our guest wireless network is not working . We are able to ping the NAC server but web page is not opening for the clients if they connected to guest network.
Any clue on this ....
Thanks!,
Regards,
Vijay.

All actions within the Cisco NAC Guest Server are logged into the database. This enables you to see any action that occurred as part of the normal operating process of the application.
To access the system log from the administration interface select Server > System Log from the left hand menu
Please check the Error Logs for troubleshooting of NGS

Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

Hi,
     I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .

Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

NCipher server not in operational mode : Cisco NAC

One of the NAC server got rebooted and then while restart i am getting an error nCipher server not in operational mode. Please change the settings on back of the card. Also error-sshd-server not running.
Please let me know how to make the ncipher in operational mode and change the mode of NAC in FIPS mode.
It is very urgent. Please let me know the solution.
Regards,
Tarunava

The Cisco NAC is 3315 and software version is 4.1.2.
Below are the error logs.
[root@PLHO_CAS_01 ~]# cd /perfigo/common/bin/
[root@PLHO_CAS_01 bin]# ./test_fips.sh info
Installed FIPS card is nCipher
Info-FIPS file exists
NFastApp_Connect failed: ServerNotRunning
Error-card is not in operational mode
Error-httpd worker is in Non FIPS mode
Error-sshd not up
System not in FIPS mode
[root@PLHO_CAS_01 bin]#
[root@PLHO_CAS_01 ~]# /etc/init.d/sshd start
Starting sshd:WARNING: initlog is deprecated and will be removed in a future rel
ease
key_load_private_pem: RSA_blinding_on failed
Could not load host key: /root/.perfigo/sec/tomcat.key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
[FAILED]
[root@PLHO_CAS_01 ~]# /etc/init.d/httpd start
Starting httpd: Syntax error on line 167 of /etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
[FAILED]

NAC server is not available on the network

I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........

Hi,
I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
the bug cisco provided me is related to "CSCuc70607".
Hope this helps,
Tarik Admani
*Please rate helpful posts*

Cisco NAC technical information

Hello everyone,
So I've been looking through the Cisco website trying to get information about Cisco NAC (at the request of my boss, the IT team leader). Unfortunately, all the information about NAC on this website is geared towards supervisors and purchasing authorities; I haven't been able to find any sort of real technical data, just a bunch of sales mumbo-jumbo. I know a lot about what it can do, but nothing about how it does it.
I would like to know how this system would interact with my network. I'm newly in charge of an almost pure Cisco network consisting of a couple dozen Catalyst 2950 switches and 3 Catalyst 3750 stacks in various positions throughout the network.
Our network uses a star-topology, meaning all the switches tend to radiate from the central Layer 3 switches (the 3750s), meaning we don't, at the moment, have any sort of redundancy like in the Cisco-recommended Core-Distribution-Access topology. We want to get to that point sometime in the future.
Anyways, I'd like to know how I can integrate Cisco NAC into my existing network. How would it connect and where? How does it regulate access? Do all computers require some kind of client to be installed? How does it regulate VLANs (of which we have about 50)?
Like I said, we want to basically overhaul our network sometime in the future, but I'm not really counting on it happening soon, so I'd like to know how NAC would be implemented in our current network so that we may be able to enjoy some of those benefits right away.

My explanations / answers are not authoritative but should provide some general idea about things you could accomplish with this product.
1.) Since you are basically all Cisco you will probably use an out-of-band solution. This allows the NAC to "manage" your switch ports. As the sales literature suggests it's about mapping users/ips/macs to roles and allowing access based on the role. Example would be new device plugs in to a perm switch. You require that all machines have AV, New Defs, and Latest Updates. The client would use the agent to validate it has met these requirements. If not the agent may recommend (at your pref) how to meet the given requirement - I personally like the idea of providing links to pages where they can find information on fixing the issue. Once the 3 requirements are met you allow the system access to your network on a given vlan in a specific role.
2.) Again, because your switches are all Cisco you have many options. Primarily in-band vs out-of-band. I have very little doubt you would choose out-of-band with the description of your topology given above.
3.) Connection would be 2 ports on your 3750 stack.
4.) It regulates traffic by performing requirements checks and by mapping machines to a given role. That role is aloowed to do certain activities on your network. I kinda of think of role management like a firewall of sorts. Once you are authenticated to a given role you are allowed to do things like surf the internet or ftp to an internal server. Each role could be given different access ability.
5.) Technically no machines "require" a client to be installed. You can use a combination of web login with scanning and / or cisco agent installations. For linux machines no agent is currently available to my knowledge. For macs and pcs the agent (once installed) seems to make access simplier.
6.) Vlan regulation depends on the type of install you choose. For example you may map vlans.
Hope that helps.
Greg W.

Cisco NAC and Microsoft NAP

Dear all,
I need to know what are the differences between Cisco NAC and Microsoft NAP ?
Can NAP be used instead of NAC or not ? why ? why not ?

I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
Here is the link that will help you with the basics.
http://www.cisco.com/en/US/netsol/ns466/index.html
We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
Thanks,
Tarik

Cisco nac access control

Dear All,
I have depolyed a cisco nac solution in inband virtual gateway mode.Everything is working fine.The issue is that i want to restrict intranet server access.Usually there is a web server configured on it and users can access by typing http://intranet.There are also shared resources on it.
I want certain users to be able to access shared ressources but not access the intranet by typing http://intranet.I created access rules in traffic control to deny tcp protocol from the specified source to the destination ip address of the server on port 80and permit everything else.Users continue to access both ressources.
Since it was not working, created access-list on the L3 3560 switch to deny connection on 172.31.0.3:80 and permit everything else and applied it to the users vlan svi.Still it does not work.
How can i make it happen ?Please help.
Thanks

Yes Sir.. Check this link for supported devices with Cisco ISE
http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

How Cisco NAC and Cisco NAC Agent works

HI,
Can anyone help in explaining in detail for Cisco NAC will work in L2 OOB mode?
Also, what is the path from the time the end user connects to the network till he gets access to the network?
Please reply soon.Its urgent.

I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
Here is the link that will help you with the basics.
http://www.cisco.com/en/US/netsol/ns466/index.html
We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
Thanks,
Tarik

How to find out the info regarding Solaris, server hang or shutdown.

Hi
As I am handling the Solaris 9 Server remotely.
As in last week the server has stopped to respond suddenly, we have tried to ping, ssh which was not working. As ultimately we have asked the Data Centre Team to hard reboot the same, to resolve the issue.
In the same ref I would like to know how we come to know the reason, what caused to reboot the same, i.e . any log file, etc..
I have check /var/adm/messages, but not found any detail for the same.
Thanks
Rajan
I

No core files?
No hope for an answer.
As you learned in the other Internet forum.
http://www.linuxquestions.org/questions/solaris-opensolaris-20/how-to-find-out-the-info-regarding-solaris-server-hang-or-shutdown.-621500/
To get such corefiles analyzed,
you would need to use your service contract and log a support case with Sun.
They have the special software tools to do that.

Cisco NAC server hang issue

Similar Messages

Maybe you are looking for