Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 132

Installing a Clean Access Manager High Availability Pair Chapter 4 Configuring High Availability (HA) Step 9 (Optional) If you want to enable the CAM's Heartbeat UDP Interface 3 function, select eth2 or eth3 from the dropdown menu and specify an associated peer IP address in the [Secondary] Heartbeat IP Address on interface 3 field. Otherwise, leave this N/A if not using the additional UDP heartbeat interface. Note Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA heartbeat function. Although this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release. (The associated Heartbeat Timeout value remains a valid configuration point, however, for deployments using optional Heartbeat UDP interfaces 2 and 3.) Step 10 Specify the Heartbeat Timeout value for the HA primary CAM to set the duration the CAM should wait before declaring that it has lost communication with its HA peer, thus assuming the role of the active CAM in the HA pair. The default Heartbeat Timeout value is 30 seconds. Note Starting from Cisco NAC Appliance Release 4.6(1), the Heartbeat Timeout default value has been increased to 30 seconds to help accommodate CAM HA peers located in relatively distant locations on the network, where latency issues might cause a standby HA CAM to assume the active role when it has not received heartbeat packets from its HA peer within the specified Heartbeat Timeout period. In the resulting network scenario, you could potentially end up with two "active" CAMs performing Cisco NAC Appliance functions, requiring you to reboot both CAMs to re-establish the correct primary/secondary HA peer relationship. Step 11 Click Update and then Reboot to restart the Clean Access Manager. After the Clean Access Manager restarts, make sure that the CAM machine is working properly. Check to see if the Clean Access Servers are connected and new users are being authenticated. Configure the HA-Secondary CAM Step 1 Step 2 Step 3 Open the web admin console for the Clean Access Manager to be designated as the HA-Secondary, and go to Administration > CCA Manager > SSL > X509 Certificate. Before starting: • Back up the secondary CAM's private key. • Make sure the private key and SSL certificate files associated with the Service IP/HA-Primary CAM are available (previously exported as described in Configure the HA-Primary CAM, page 4-9). Import the HA-Primary CAM's private key file and certificate as described below: If using a temporary certificate for the HA pair: a. Click Browse and navigate to the location on your local machine where you have saved the temporary certificate and Private Key you previously exported from the HA-Primary CAS. b. Select the certificate file and click Import. c. Repeat the process to import the Private Key. 4-12 Cisco NAC Appliance Hardware Installation Guide OL-20326-01