Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 129

Chapter 4 Configuring High Availability (HA) Installing a Clean Access Manager High Availability Pair Serial Connection By default, the first serial port detected on the CAM server is configured for console input/output (to facilitate installation and other types of administrative access). If the machine has only one serial port (COM1 or ttyS0), you can reconfigure the port to serve as the high-availability heartbeat connection. This is because, after the CAM software is installed, SSH or KVM console can always be used to access the command line interface of the CAM. Note When the primary eth1 link has been disconnected and only the serial link remains, the CAM returns a database error indicating that it cannot sync with its HA counterpart, and the administrator sees the following error in the CAM web console: "WARNING! Closed connections to peer [standby IP] database! Please restart peer node to bring databases in sync!!" Caution To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco NAC console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms. Warning When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for Cisco NAC Appliance CAMs/CASs and any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information. Configure the HA-Primary CAM Once you have verified the prerequisites, perform the following steps to configure the Clean Access Manager as the HA-Primary for the high availability pair. See Figure 4-4 for an example high-availability configuration. Step 1 Open the web admin console for the Clean Access Manager to be designated as the HA-Primary, and go to Administration > CCA Manager > SSL > X509 Certificate to configure the SSL certificate for the primary CAM. Note The HA configuration steps in this chapter assume that a temporary certificate will be exported from the HA-Primary CAM to the HA-Secondary CAM. If using a temporary certificate for the HA pair: a. Click Generate Temporary Certificate, enter information for all of the fields in the form, and click Generate. The certificate must be associated with the Service IP addresses of the HA pair. b. When finished generating the temporary certificate, click the checkboxes for the certificate and Private Key to highlight them in the table. c. Click Export to save the certificate and Private Key to your local machine. You must import the certificate and Private Key later when configuring the HA-Secondary CAM. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-9