Specifications
14-21
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 14 Administering the CAM
Manage CAM SSL Certificates
Troubleshooting Certificate Issues
Issues can arise during Cisco NAC Appliance certificate management, particularly if there are
mismatched SSL certificates somewhere along the certificate chain. Common problems on SSL
certificates can be time-oriented (if the clocks are not synchronized on the CAM and CAS,
authentication fails), IP-oriented (certificates are created for the wrong interface) or
information-oriented (wrong or mistyped certificate information is imported). This section describes the
following:
• HA Active-Active Situation Due to Expired SSL Certificates
• No Web Login Redirect/CAS Cannot Establish Secure Connection to CAM
• Private Key in Clean Access Server Does Not Match the CA-Signed Certificate
• Regenerating Certificates for DNS Name Instead of IP
• Disabling Administrator Prompt for Certificate on IE 8 and 9
• Certificate-Related Files
Warning
If your previous deployment uses a chain of SSL certificates that is incomplete, incorrect, or out of
order, CAM/CAS communication may fail after upgrade to release 4.5 and later. You must correct your
certificate chain to successfully upgrade to release 4.5 and later. For details on how to fix certificate
errors on the CAM/CAS after upgrade to release 4.5 and later, refer to the How to Fix Certificate Errors
on the CAM/CAS After Upgrade Troubleshooting Tech Note.
HA Active-Active Situation Due to Expired SSL Certificates
HA communication for both HA-CAMs and HA-CASs is handled over IPSec tunnels to secure all
communications between the two HA pair appliances. This IPSec tunnel is negotiated based on the SSL
certificates uploaded to the HA pairs for both CAM and CAS. In case the SSL certificates are not trusted
by the two HA peers, have expired, or are no longer valid, the HA heartbeat communication between the
two HA pairs breaks down, leading both HA pair appliances to assume the Active HA-Primary) role.
For CASs deployed in VGW mode, this can potentially create a Layer 2 loop that could bring down the
network. HA-CAMs with expired or invalid SSL certificates could lead to an Active-Active situation
where the database is not synced between the two HA-CAM appliances. Eventually, this situation leads
to the CAMs losing all recent configuration changes and/or all recent user login information following
an HA-CAM failover event.
As HA communication over IPSec tunnels requires valid SSL certificates on both the CAM and CAS,
the CAM-CAS communication also breaks down if the SSL certificate expires on either the CAM or
CAS. This situation leads to end user authentications failures and the CAS reverting to fallback mode
per CAS configuration.
Administrators can minimize HA appliance Active-Active situations due to expired SSL certificates by
using SSL certificates with longer validity periods and/or using serial port connection (if available and
not used to control another CAM or CAS) for HA heartbeat. However, when you configure HA-CAMs
to perform heartbeat functions over the serial link and the primary eth1 interface fails because of SSL
certificate expiration, the CAM returns a database error indicating that it cannot sync with its HA peer
and the administrator receives a “WARNING! Closed connections to peer [standby IP] database! Please
restart peer node to bring databases in sync!!” error message in the CAM web console: