Security

 View Only

  • 1.  Hypothetical global ClearPass cluster

    Posted Oct 30, 2025 11:28 AM

    Hi

    A current ClearPass customer with servers in Azure, Europe, have asked for advice regarding introduction of ClearPass nodes also in North America.

    From my experience with on-prem ClearPass servers in the same cluster stretching between Europe and US, it's a bit on the edge in regards of latency. Can work well but you may also run into replication errors. On know about one cluster with nodes in AWS in US, Europe and Singapore and this cluster works fine.

    I think I have seen something, either in Airheads or in release notes, that the normal max 100 ms (200 ms RTT) that is advised between cluster nodes not fully apply if you have the ClearPass servers in Azure or AWS. But I can't find the information now to confirm or deny it. 

    So, my questions are:

    • Does the general recommendations still apply related to latency between nodes when the ClearPass servers are placed in different Azure or AWS regions?
    • Is it any differences if the cluster is a hybrid cluster with some node(s) running on-prem?
    • Links to official documentation would be appreciated as I haven't found it myself



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------


  • 2.  RE: Hypothetical global ClearPass cluster

    Posted Oct 30, 2025 03:13 PM

    Hi Jonas,

    Are you referring to the Tech Note: Clearpass Clustering Design Guidlines 

    https://www.scribd.com/document/461019824/CPPM-TechNote-Clustering-Design-Guidelines-v1-2

    Or maybe this article (i saw you posted on there as well):
    https://airheads.hpe.com/discussion/clearpass-publisher-subscriber-ha-best-practice

    Or maybe this document:

    https://community.arubanetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=6a274f52-3b57-435f-8a81-0004f8f91c53&utm_source=chatgpt.com




    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP
    Just an Aruba enthusiast and contributor by cases
    If you find my comment helpful, KUDOS are appreciated.
    ------------------------------



  • 3.  RE: Hypothetical global ClearPass cluster

    Posted Oct 31, 2025 03:47 AM

    Yes, in these documents I can read the general recommendation of max 200 ms RTT between Publisher and Subscriber.

    But I think I have heard that in cloud deployed clusters this should bot be an issue, but I can't find any references to this.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 4.  RE: Hypothetical global ClearPass cluster

    Posted Oct 31, 2025 05:20 AM

    yes generally RTT should be around 200mSec.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: Hypothetical global ClearPass cluster

    Posted Oct 31, 2025 05:24 AM

    It makes sense that it should be the same also in cloud deployed environments. 



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 6.  RE: Hypothetical global ClearPass cluster

    Posted Oct 31, 2025 12:32 PM

    Hi Jonas,
    here is an extension that can be used to synchronize and replicate different clusters HPE Aruba Networking ClearPass Synchronization service.

    This approach might help you move forward.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 7.  RE: Hypothetical global ClearPass cluster

    Posted Nov 05, 2025 05:48 PM

    Most Cloud provider provide 'express routes' between regions to keep the latency as low as possible, which makes it easier/more predictable to stay within the 200ms RTT.

    Further, ClearPass is not really different running in the cloud, VM or on-premises, so similar requirements for clustering as well.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content