Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 138

Installing a Clean Access Server High Availability Pair Chapter 4 Configuring High Availability (HA) Note You must use identical appliances (e.g. NAC-3350 and NAC-3350 or NAC-3315 and NAC-3315) in order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs). CAS High Availability Overview Caution CAM-CAS communication and HA-CAM and/or HA-CAS peer communication can break down and adversely affect network functionality when SSL certificates expire. Refer to the caveat CSCtb43264 in Release Notes for Cisco NAC Appliance, Version 4.8. For more information, see the "HA Active-Active Situation Due to Expired SSL Certificates" section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3). Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high availability. The following key points provide a high-level overview of HA-CAS operation: • The Clean Access Server high-availability mode is an Active/Passive two-server configuration in which a standby CAS machine acts as a backup to an active CAS machine. • The active CAS performs all tasks for the system. Since most of the CAS configuration is stored on the CAM, when CAS failover occurs, the CAM pushes the configuration to the newly-active CAS. Note If you use the Authorization feature in a CAS HA-pair, follow the guidelines in "Backing Up and Restoring CAM/CAS Authorization Settings" in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8 to ensure you are able to exactly duplicate your Authorization settings from one CAS to its high availability counterpart. • Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and protect important data, like other system passwords. The master secret password needs to be the same for a CAM-HA pair. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to fail over to the HA peer CAM/CAS in HA deployments. (HA-Secondary CAMs/CASs are not able to assume the "active" role following a failover event when the master secret passwords are different.) • The standby CAS does not forward any packets between its interfaces. • The standby CAS monitors the health of the active CAS via heartbeat interface (serial and one or more UDP interfaces). Heartbeat packets can be sent on the dedicated eth2 interface, dedicated eth3 interface, or eth0/eth1 interface (if no eth2 or eth3 interface is available). • The primary and secondary CAS machines exchange UDP heartbeat packets every 2 seconds. If the heartbeat timer expires, stateful failover occurs. • In addition to heartbeat-based failover, the CAS also provides link-based failover based on eth0 or eth1 link failure. The CAS sends ICMP ping packets to an external IP address via the eth0 and/or eth1 interface. Failover will occur if only one CAS can ping the external addresses. 4-18 Cisco NAC Appliance Hardware Installation Guide OL-20326-01