Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rickardsv
Participant

Problem with traffic from standby member to radius

Hi

 

We are having some issues with radius authentication from standby member in a cluster that

consists of two open server nodes (vmware virtual machines) running R80.40.

 

Both nodes have radius server authentication configured but it is only possible to login to the active node.

If we switch roles from active to standby the other node that becomes active works.

 

We have traced traffic and traffic goes from Standby node over via Active node to Radius server.

Radius server is responding back to cluster IP and is visible on Active node but then no return traffic is visible on the standby.

 

The following steps have been made in attempts to correct the issue:

In VMWARE, disable Forged Mac Address on Sync portgroup

We have tried to toggle these Kernel parameters:

fwha_cluster_hide_active_only

fwha_silent_standby_mode

fwha_forw_packet_to_not_active

 

But no difference at all, no reboot was made just toggle the flags on the fly.

 

Any suggestions on how to further check this issue are welcome 🙂

 

Thanks

 

//Rickard

 

0 Kudos
5 Replies
Sorin_Gogean
Advisor

hey,

 

we're also using Radius (Cisco ISE) to authenticate/authorize access on the appliance.
as I know we don't have any issue, as we have the appliances registered in ISE by LAN IP and Management IP address .

 

also I see you have them as virtual machines, our virtual ones are single appliances, so no HA there and no Radius problem also .

when you try to perform an Radius authentication on the secondary box, can you also have an SSH session (in expert mode maybe) and do a TCPDUMP on LAN/Management towards Radius IP and see what you get there.

 

I would say it's normal to see traffic in the ACTIVE box, as you would route through that one towards RADIUS Server - not sure on your set-up.

 

ty,

0 Kudos
rickardsv
Participant

Hi,

Yes as far as i understand the traffic flow is as expected.

But the problem is that return traffic does not seem to reach the standby.

If we listen for traffic at Radius we see traffic from Active node with cluster IP as source and return.

0 Kudos
Sorin_Gogean
Advisor

"If we listen for traffic at Radius we see traffic from Active node with cluster IP as source and return." - sorry but you have smth WRONG there. 
if I ask RADIUS AUTH from standby, then the RADIUS server should see the packet coming from the standby appliance (IP address). 

several details are missing, as you should not route standby traffic over ACTIVE GW, unless you have some weird routing/set-up and some NAT in place - that would explain you seeing Active Node IP on an Secondary Node return.

 

so can you sketch smth in paint - how are things connected and what communicates with what ?

 

ty,

0 Kudos

What network/interface is the Radius server located on/via relative to the firewall?

When configuring the above kernel parameters did you also adjust your NAT policy to compensate?

For the Radius configuration what "NAS IP Address" value is set and what is ISE configured to allow? 

0 Kudos
PhoneBoy
Admin
Admin

What JHF are you on?
I'd ensure you're on at least the latest GA JHF.
See: https://sc1.checkpoint.com/documents/Jumbo_HFA/R80.40/R80.40/R80.40_Downloads.htm?tocpath=_____3 

0 Kudos