Bingo. I just worked with TAC via a web meeting and this is exactly what was wrong. My untrusted and trusted side service IPs were, in fact, different.
On 5/13/08 8:48 AM, "David Pifer" <[EMAIL PROTECTED]> wrote: > I just had a TAC case on this same issue after upgrading the system from > 4.1.1 to 4.1.3.1. Turns out that if you have the IP the same on both > interfaces and you are running in HA Failover mode you have to go to the > CAS config page and set the ip address of the Trusted and untrusted side > to the same service ip address. It wont start the service ports and will > behave exactly like you say. We set this and rebooted and suddenly life > was happy. > > > David L. Pifer - N9YNF - CCNA > Network Engineering Services > Indiana State University, Office of Information Technology > 210 N. 7th St., Rankin Hall R044, Terre Haute, IN 47809 > 812.237.2923 office 812.237.4361 fax > > >>>> "Stempien, Dave" <[EMAIL PROTECTED]> 5/13/2008 07:57 >>>> > The switch is configured as a managed device, and the CAM and CAS are > on > different subnets. > > I am able to authenticate via a web browser by opening up the IP > address of > the CAS manually, and everything else seems to work as expected (switch > port > VLAN reconfiguration/bounce/etc.) The web redirection isn't happening, > nor > is the client automatically popping up. Via tcpdump, I'm seeing the > SWISS > packets arriving on the untrusted interface of the CAS. > > Still stumped... > > On 5/13/08 7:37 AM, "Northcutt, Kevin A. (Information Services)" > <[EMAIL PROTECTED]> wrote: > >> Are they all on different subnets? >> >> -----Original Message----- >> From: Cisco Clean Access Users and Administrators >> [mailto:[EMAIL PROTECTED] On Behalf Of Osborne, Bruce > W. >> (NS) >> Sent: Thursday, May 08, 2008 4:25 PM >> To: [email protected] >> Subject: Re: L2 OOB Virtual Gateway Configuration Problem >> >> Have you configured your switch as a managed device? >> >> -----Original Message----- >> From: Cisco Clean Access Users and Administrators >> [mailto:[EMAIL PROTECTED] On Behalf Of David Stempien >> Sent: Thursday, May 08, 2008 4:14 PM >> To: [email protected] >> Subject: [CLEANACCESS] L2 OOB Virtual Gateway Configuration Problem >> >> I have exhausted my troubleshooting options for what should be a >> simple configuration. I am trying to add a new CAS as a L2 OOB >> Virtual Gateway. I've configured L2 IB Virtual Gateways many times >> with no problem. It appears the configuration in OOB mode is very >> similar to the IB. Here's what I've done: >> >> - Added CAS to CAM as L2 OOB Virtual Gateway >> - Under managed subnet, added IP for untrusted VLAN >> - Configured VLAN Mapping for untrusted -> trusted VLANs >> >> DHCP passthrough works just fine. I can do everything on my test > host >> as permitted by my Unauthenticated Role. On my test host, I even > have >> ARP resolution for the managed subnet IP on the CAS. >> >> For the life of me, I can't figure out why the agent is not popping > up >> or why web page redirection isn't happening. It's almost as if the >> CAS is not seeing my host traffic, or maybe it's just ignoring it. > I >> find that hard to accept given my observations in the previous >> paragraph. >> >> Is there something special about the OOB configuration that I may > have >> overlooked? >> >> Thanks in advance for any advice! >> >> -- >> Dave Stempien, Network Security Engineer >> University of Rochester Medical Center >> Information Systems Division >> (585) 784-2427 >
