About Secure ACS Database Replication configure

hi
     I have INSTALL the acs and the ACS DATABASE HAS replicated complete.
but when I made some change ,the primary ACS has generate *.csv file.
this file can replicated to the secondary ACS.
     THANKS

Can you please clarify your issue? The post is not clear.
Regards

Similar Messages

  • ACS Database Replication

    I have 2 ACS server
    - ACS Appliance(v4.0)
    - ACS Server fo Window(v3.0)
    I want to design Primary ACS Appliance and Secondary ACS for Window
    I know the method For ACS Database replication
    Thanks
    cheolhyeon

    Hello Hanwu
    Please send a the screenshot of replication page from primary server.
    thanks
    Devashree

  • ACS Database Replication over VPN with overlapping Network Addresses

    We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
    As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
    Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
    All provided info and comments are greatly appreciated.

    I can help with the 3005 setup if you decide to go that route.
    You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
    You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
    You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
    Use a static Nat type. The rest will look similar to my example.
    Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
    Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

  • ACS Database Replication between SE and Windows

    I currently have 2 Windows ACS servers (4.0.1.27) in production and replicating databases. I also have a solution engine (appliance) running 4.1.4.13.7. I plan to upgrade the Windows ACS servers to 4.1.4.13.7 (same as the SE). I know that the software versions have to match for replication to work. Recently, I received conflicting information about database replication. I was told that a ACS SE (solution engine 1113) can not replicate to a Windows ACS server, even if the software versions match. Before I change my production environment, I thought would seek out additional input.

    Yes, you can replication acs windows with acs appliance. It works fine.
    Regards,
    ~JG

  • ACS 4.2 Database replication issue

    Hello Experts,
    Hope you are all doing well. I need your help in ACS database replication, I want to do replication between ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. I also did wireshark captures on the interfaces but no traffic is initiated when i press replicate now button. Initially i thought its a machine issue, but same behavior is shown when i swapped primary----to secondary. There are other applications running on both the servers which requires JAVA. Like Cisco IME etc. Can it be JAVA issue? Please help me out. i am using Release 4.2(0) Build 124 on both servers.Attached below is the Replication LOG snapshot,
    Regards,
    Rizwan.

    https://supportforums.cisco.com/discussion/11382366/problems-witch-acs-42-replication
    https://supportforums.cisco.com/discussion/11363046/replication-problem-acs-ver-42

  • ACS server replication Query

    Hi All ,
                I have two ACS server primary & secondary server . New secondary server to be deployed into network . My primary ACS server has got 1000 AAA clients configured with 15000 user id configured in multiple group profile . My question over here is when i do database replication between primary and secondary ,whether entire databse will be replicated from my primary server to secondary server like all AAA clients and end user , group profile , interface configuation etc , else it will replication has got restriction for database .
    Totally : AAA clients & User ID will be on one database backup   or it will reside on differnt location
    kindly clarify me over here ,Thank you .

    Hi,
    The entire Database will get over written in case of database restore.
    You use ACS Database Replication to copy various  components of the ACS internal database to other ACSs. This method can  help you plan a failover AAA architecture, and reduce the complexity of  your configuration and maintenance tasks.
    The components that can be replicated are:
    User and group database
    Group database only
    Network Configuration Device  tables
    Distribution table
    Interface configuration
    Interface security settings
    Password validation settings
    EAP-FAST master keys and policies
    Network Access Profiles
    Logging Configuration  (Enable/Disable Settings)
    The following link will give you details of the database replication.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756304
    Hope this helps.
    Regards,
    Anisha
    P.S.: Please mark this thread as resolved if you feel your query is resolved. do rate helpful posts.

  • CiscoSecure ACS 4.1(1) Build 23 Patch 5 :database replication fails; possibly short timeout or dead

    Hi,
    Since some time we are struggling to get database replication working.
    On the primary server it is reporting the following on "Database Replication active.csv""
    07/21/2010
    14:22:58
    SZ0910
    WARNING
    ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
    07/21/2010
    14:12:08
    SZ0910
    INFO
    Outbound replication cycle starting...
    In CSMon.log following is logged:
    CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
    CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
    CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
    CSMon 07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected Level:2 Message:Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted
    CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State 0 6 Event Detected Level:2 Message:Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted
    CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped State 0 3 Event Detected Level:2 Message:Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted
    CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
    CSMon 07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted. Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted. Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
    CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
    CSMon 07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event Detected Level:2 Message:Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted
    CSMon 07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
    CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
    CSMon 07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected Level:4 Message:Service pause timed out. Please check the timeout settings for Replication and Backup
    I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
    But still replication fails.
    There is no firewall in between.
    Both ACS servers running on MS Windows Server  2003, SP2.
    Can anybody help me in the right direction what could be possible cause of this or where else I can look for logging for further troubleshooting?
    Thanks in advance for your help.

    Hi,
    Since some time we are struggling to get database replication working.
    On the primary server it is reporting the following on "Database Replication active.csv""
    07/21/2010
    14:22:58
    SZ0910
    WARNING
    ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
    07/21/2010
    14:12:08
    SZ0910
    INFO
    Outbound replication cycle starting...
    In CSMon.log following is logged:
    CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
    CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
    CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
    CSMon
    07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected
    Level:2 Message:Service CSAuth has been suspended for a configured
    function to proceed. Monitoring will suspend until the service is
    restarted
    CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State
    0 6 Event Detected Level:2 Message:Service CSLog has been stopped or
    paused by the system. Monitoring will suspend until the service is
    restarted
    CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped
    State 0 3 Event Detected Level:2 Message:Service CSRadius has been
    stopped or paused by the system. Monitoring will suspend until the
    service is restarted
    CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
    CSMon
    07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has
    been suspended for a configured function to proceed. Monitoring will
    suspend until the service is restarted. Service CSLog has been stopped
    or paused by the system. Monitoring will suspend until the service is
    restarted. Service CSRadius has been stopped or paused by the system.
    Monitoring will suspend until the service is restarted. '
    CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
    CSMon
    07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event
    Detected Level:2 Message:Service CSTacacs has been stopped or paused by
    the system. Monitoring will suspend until the service is restarted
    CSMon
    07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has
    been stopped or paused by the system. Monitoring will suspend until the
    service is restarted. '
    CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
    CSMon
    07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected
    Level:4 Message:Service pause timed out. Please check the timeout
    settings for Replication and Backup
    I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
    But still replication fails.
    There is no firewall in between.
    Both ACS servers running on MS Windows Server  2003, SP2.
    Can
    anybody help me in the right direction what could be possible cause of
    this or where else I can look for logging for further troubleshooting?
    Thanks in advance for your help.
    Hi,
    Also check the port number TCP 2000 this is the replication port which needs to be opened between the primary and secondary ACS.
    Hope to Help !!
    Ganesh.H

  • Problem with ACS 4.2 Database replication

    Greetings,
    I am not able to replicate Database between two ACS SE 4.2. I am getting the following error:
    Inbound database replication from ACS 'ACS_BEX_001' denied - shared secret mismatch.
    The configuration apparently is ok. I am attaching the configuration from both ACS.

    The solution posted by Nevin is correct, but I must add some explanations. I had the problem yesterday and I proceeded like Nevin told:
    - I connected to the console and made a "show".
    - The IP was the correct one, but as indicated I made a "set ip"
    - The system asked for the new IP, showing the old one between brackets: ie "New IP [10.10.10.1]:"
    - I pressed Intro, because the IP is correct.
    - After confirming the IP, mask, gateway and DNS the system asked me to verify connectivity. I did it and was correct.
    - The second time it asked to check connectivity I answered No. and nothing happened.
    - We checked through the web but the "Self" IP was still 127.0.0.1.
    - So I made the process again BUT this time I changed the the IP to another one. After finishing, (when I answered No to check connectivity) I saw that the system was stopping all ACS processes and starting then again.
    - In the web page the "Self" IP was the new one.
    - I made the process again changing the IP to the original one. This time also the system stopped and started all processes.
    - In the web page the "Self" IP was correct.
    - Now the replication worked correctly.
    So the problem was that the system is "inteligent" and if it discover that you don't change the IP (even if you change the DNS), it doesn't reconfigure it. So you must change to another IP (even a dummy one) and the change again to the correct one.
    I hope this can help to other people.

  • ACS internal database replication

    I have setup ACS internal database replication and it works once then the secondary config is overwritten and doesn't contain the AAA server of the primary.
    primary               - 10.100.253.25
    ACS 1113 running 4.2
    secondary          - 10.100.253.26
    ACS 1113 running 4.2
    Example of before and after
    Before replication
    The primary has these AAA servers listed under network components.
    self - 127.0.0.1
    acs2 - 10.100.253.26
    The secondary has these AAA servers listed under network components.
    self - 127.0.0.1
    acs1 - 10.100.253.25
    After replication
    The primary has these AAA servers listed under network components.
    self - 127.0.0.1
    acs2 - 10.100.253.26
    The secondary has these AAA servers listed under network components.
    self - 127.0.0.1
    acs2 - 10.100.253.26
    therefore after the first replication subsequent attempts will fail because the secondary won't accept attempts from unknown AAA servers. Is this to be expected or can I mitigate it in someway?

    Please try setting the original ip address by using "Set ip" Command from the console connection of the ACS Solution engine. Once you successfully changed the ip address, you can apply the patch 11 or above (latest is patch 16) on the ACS SE (This will fix the problem).
    In majority of cases set ip command fails but sometime works too.
    In case it doesn't help then we have 2 options:
    1.] Open a TAC case, send the database file to delete the entry.
    2.] If you are not intrested sending your database then try the below listed steps:
    In order to remove the loopback entry from the Database, we need to follow following steps,
    Please download ACS 4.2 trial from following link, if you do not have ACS Full version for Windows purchased.
    http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval- eval-ACS-4.2.0.124-SW.zip
    [1] Install eval version on Windows 2000/2003 server. Please also ensure that JAVA is installed on that server.
    [2] Take a backup from ACS SE from, System Configuration > ACS Backup >Backup Now.
    [3] Restore the database backup on ACS eval.
    [4] On eval ACS , go to Network Configuration > find the AAA Server entry with 127.0.0.1 entry. Edit it and give it some other IP for
    example, 1.1.1.1. Submit + Apply.
    [5] On eval, Restart CSAdmin service.
    [6] On eval, go back to Network Configuration and search for the changed IP address and delete that entry, Delete + Apply.
    [7] Take a backup from eval ACS, System Configuration > ACS Backup > Backup Now.
    [8] Restore the database backup from eval ACS into ACS SE from option, System Configuration > ACS Restore, choose the database backup. Check Check option "User and Group Database" and "CiscoSecure ACS System Configuration", then press Restore Now.
    [9] On ACS SE, go to Network Configuration, make sure that 127.0.0.1 entry is not there and for ACS SE's hostname we have the correct IP address. Go to Proxy Distribution Table > (Default). Move the server’s hostname entry that has correct IP for this ACS SE into "Forward To" column, if not already. Then press "Submit + Restart".
    Reference defect, CSCso36620 - Toggle nic command changes AAA server ip address to "127.0.0.1" in GUI.
    Regards,
    Jatin
    Do rate helpful posts-

  • ACS 4.2 to ACS 5.4 database replication

    Hello All,
    I would like to know if its possible setup database replication from Cisco ACS 4.2 server to ACS 5.4 server ?
    Thanks in advance
    Mohsin Saleem

    Unfortunately, database replication (trigger update) cannot be performed as it requires both the ACS boxes to run same code.
    If you meant migration then yes that can be done.
    Migrating from ACS 4.x to ACS 5.4
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/migrate.html
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco Secure ACS 4.1 with Windows Database

    I have ACS 4.1 integrated with Windows Database (check mark in allow Remote DialIn).
    When we terminate a employee do I have to also delete their ACS User Profile?
    If I delete the user in AD will they automatically delete the user in ACS?
    Where can I read more about this?

    Hi,
    If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
    The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
    tnx
    somishra

  • How to configure Cisco Airespace in Cisco Secure ACS v5.3

    Need some help regarding Cisco Airespace configuration in Cisco Secure ACS v5.3. We're migrating to ACS v5.3 but we're encountering an issue with
    Cisco Airespace. It is only working on ACS4.1 but when we tried to move it to Cisco Secure ACS v5.3, it is not working.

    Ok, we have a legacy Cisco wireless devices called Cisco Airespace and this device is the result of Cisco acquisition of Airespace Wireless Network in 2005. Cisco improve this technology and make it a perfect device for WLAN. Going back to my issue, as I mention we have this device and it is working in our older version of ACS (4.x). Since we have now a latest version of ACS which is 5.3. We wanted to migrate all the device into our latest version of ACS including older version (Airespace). Since this is an older device, I'm thinking that the VSA attributes needs to manually added and create Policy and Access Service specific to Cisco Airespace. I've attached the Dictionaries attributed that I've added and needs some advise if I got the correct value for below item
    Airespace-WLAN-Id
    Airespace-QoS-Level
    Airespace-DSCP
    Airespace-802.1p-Tag
    Airespace-Interface-Name
    Airespace-ACL-Name
    Below link is the configuration guide for Cisco Airespace under ACS 4.x
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080891919.shtml

  • ACS SE Database replication fails

    Hello, I recently upgraded our ACS SEs from 4.0 to 4.1. All appeared to go OK but I checked the logs recently and saw the the database replication is failing with the message:
    ACS '[hostname]'is running a different version of ACS - aborting.
    All ACS SE were upgraded at the same time and display the same versions when examining the Appliance Upgrade page. Does anyone have any ideas what the problem is?
    Thanks in advance.

    Hi, I am having a related problem but in my case I am using ACS for Windows ver.4.0. I am replicating from one primary ACS to three other ACS using scheduled nightly replication.
    The problem is that the data is being updated on all three ACS servers, but in the database replication logs on the primary I get messages stating that "ACS-server-name replication failed possibly due to short time-out or dead". Moreover, not all three servers timeout. Sometimes one server timeout, and other times two servers timeout, etc.
    On the replicated servers logs, the only log, in case server times out, shows that "replication cycle starting....". while when replication is successfull, it also shows Replication cycle completed successfully.
    I have played around with the timeouts but the result is random. I have also checked if there are any bandwidth issues, but replication is scheduled at night with minimal network traffic and the servers are also not being used for authentications.
    Don't understand why I don't see successful messages all the time, specially when the data does get updated on the replica ACS.
    Thanks.
    MAG

  • About Cisco secure ACS v3.0

    HI
    I have rebuilt the Tacac server for cisco secure ACS v3.0 and then retore all the data via the "data restore" under the system configuration.
    After rebuilt, it was only working for one day... and then it fails to authenticate users. I checked the event viewer, the error message is:
    ODBC authentication dll failed to initalise, code -1110
    and
    CSMon message: Problem Logging on to CSTacacs. Got as far as Starting Processing in Auth module
    any idea?
    Thanks

    Hi
    When I tried to view it, it says:
    This bug is no longer available in Bug Toolkit. Click bug ID for details.
    would you be able to provide more information for this bug please?
    Thanks
    kind regards
    Rachel

  • With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

    Hello Everybody,
    I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
    I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
    Thanks in advance and regards....

    Hello Scott,
    Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
    Thanks and regards...

Maybe you are looking for

  • How to Decode the urls in web application

    Hi all, I am encoded the url in jsp by using the URLEncoder.encode() method like <% String msg=URLEncoder.encode("string");How can i decode this one without using URLDecoder.decode(). My Actual Requirement is if i encoded any url which is present in

  • In iPhoto, I don't have a "create" button.

    In iPhoto at the bottom right with Info, Edit, Add, Share  I don't have "create".  I want to create a saved slideshow.

  • Placing tiffs

    The two images below are identical but were placed on the layout differently. The left was placed and then the alpha channel used via the clipping path The right was placed with the alpha channel selected in show import options. Is there a way to get

  • Nokia N85 Flash Lite

    Hi I have a Nokia N85 and i want to install Flash Lite. Were can i find Flash to my phone? I talked with Nokia Care and they says that there is a new uppdate to my flash lite available. But i can´t find it! I also tried to update my N85 with Nokia so

  • Oracle Portal - OVD - OID

    Can I set OVD between Oracle Portal and OID? thx