ACS 4.1 Upgrade

Similar Messages

• [ACS 5.2] Upgrade to ACS 5.4

  Hi,
  We got 2 Cisco ACS 5.2.0.26.10.
  Primary server as authentication server and log collector
  Secondary server as authentication server. Replication is configured.
  I read the following guide: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1194934
  "There are some exceptions to this usual setup, which you can handle as described below:
  If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "
  This exception matches with my case. I have to promote my secondary server as primary.
  I would have :
  Secondary server as authentication server and log collector
  Primary server as authentication server
  Now, I think I have to deregister secondary from primary server....
  According to the guide, I have to upgrade the log collector server.
  "Step 1: Choose any secondary server to become a log collector:"
  I dont have another secondary server...
  What should I do now? (upgrade secondary/log server? upgrade primary server? ... )
  This guide supposed that I have 2 secondary and 1 primary ...
  I dont know which steps to follow....
  Thanks for your help,
  Patrick

  You have a requets open to TAC and so you will get their guidance
  Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4
  For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.
  1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)
  2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)
  At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)
  Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one
  writing this I can see it is hard to explain. Am sure TAC will do better

• ACS 5.1 upgrade to 5.5 question

  Hello Experts,
  I am looking for some kind of process documentation for upgrading ACS 5.1 to 5.5, from Cisco's documention I found that first I have to upgrade 5.3 and then 5.5. I have two production ACS servers with Primary and Secondary. When upgrading to newer version, first I have to start with the secondary server and  de-register and upgrade to 5.3 and 5.5. When the secondary server is upgraded to version 5.5, then upgrade the Primary server and re-register the secondary server on the Primary server. My question is while I am upgrading the secondary and primary servers what will be the impact on the production like downtime and the risk factor, if anybody was on that situation and how did you plan for the upgrade process.
  Thanks!

  Is this a system where a lot of M&T data has accumulated? How long has the system been installed? If so have you ever configured the M&T data to be purged?

• ACS 4.x upgrades

  Looking to see where I would enter my contract info to order the upgrade Cd for our maintenance on ACS 4.x

  Here is the link,
  http://tools.cisco.com/gct/Upgrade/jsp/index.jsp
  Also if you have a contract open a Case with TAC to get acs software.
  Regards,
  ~JG
  Do rate helpful posts

• ACS SE 1113 Upgrade from 4.0.1 to current version

  Hello,
  does anyone has experience in upgrading the 1113 SE from 4.0.1 to the current version (4.2)? Our customer does not have a recovery CD. I did not found such an image on CCO. In case of any problems how can the system be recovered? Exact version of current version is 4.0.1(42). I suppose the following product will be the correct one for the upgrade: CSACSE4.2-SW-MR-K9.
  Any hints are apprecdated, thanks.
  Regards, Markus

  The first step in migrate the ACS software running on a previous SE appliance platform (the Cisco 1111, the Cisco 1112 or the Cisco 1113) to run on the ACS 4.2 Cisco 1113 platform is to Upgrade the software on a previous SE hardware platform (the Cisco 1111 or the Cisco 1112) to ACSversion 4.1 by using the full upgrade method.
  The further steps is described in the below URL:
  http://www.ciscosystems.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/upgap.pdf

• Stop ACS 5.0 upgrade in progress

  How do I stop an FTP upgrade if it is pointed to an incorrect FTP location.

  Was this operation done from the GUI? If so I think can go to:
  System Administration > Operations > Distributed System Management > Edit: "hostname"
  If a software update is in progress for this server should see a "cancel software update" button

• ACS loses connection with AD occasionally after upgrade from 5.2 to 5.3.0.40

  ACS had been integrated with Active Directory before ACS upgrade to 5.3. After the ACS 5.3 upgrade users aren’t able to login to AAA devices occasionally. Error message is:
  {AuthenticationResult=Error; Type=Authentication; Authen-Reply-Status=Error; }
  24429 Could not establish connection with Active Directory
  At the same time, when this issue occurs, ACS connection to AD works fine (checked with Users and Identity Stores> External Identity Stores > Active Directory “Test Connection”)

  I had the same problem, I opened a Cisco TAC case and my issue was resolved.
  Sent: Tuesday, 14 August 2012 9:58 AM
  Subject: RE: 622739355 HelpDesk#SVR328332-2 : Troubleshoot Cisco ACS 1121 v5.3 With Windows Active Directory
  Hi Ramraj,
  Thanks for the link to the article, but from what I’ve seen in the logs I’m not sure that we’ve got the same root cause to the issue.
  From the ACSADAgent.log files I can see log messages like:
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG network.state NST: SniffList: postfailsort=mykulad11p.cssc.dksh.net
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.kerberos.adhelpers Encryption (id 1) is not supported by KDC. Try next in the list
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.osutil Module=Kerberos : KDC refused skey: KDC has no support for encryption type (reference base/adhelpers.cpp:216 rc: -1765328370)
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.adagent Unable to refresh computer credentials: KDC refused skey: KDC has no support for encryption type
  This lines up with the error message that we see in the TACACS+ Authentication logs:
  24493 ACS has problems communicating with Active Directory using its machine credentials.
  I have come across a NETBIOS limitation (it’s not an ACS bug, but a bug has been filed for tracking and documentation purposes) that prevents two ACSs from being connected to Active Directory at the same time if the first 15 characters of their hostnames are the same. The bug ID is CSCtj62342 and its externally visible details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj62342
  The hostname of the primary ACS is : MYMY-TPM-DC-ACS-1
  The hostname of the secondary ACS is: MYMY-TPM-DC-ACS-2
  From the hostnames, we can see that the first 16 characters of the hostnames are the same. What this means is that once the primary is connected to AD, after some time passes (this will depend on when the secondary goes an talks to AD) the secondary will lose its connection to AD and any authentications hitting the secondary will fail with the same error: 24493 ACS has problems communicating with Active Directory using its machine credentials.
  To resolve this issue, the hostnames of the ACSs will need to be changed so that the first 15 characters of their respective hostnames are not the same. Please keep in mind that this is a NETBIOS limitation and not a software bug.

• ACS 4.2 to 4.2.1 Upgrade Questions

  I have been tasked to upgrade our four ACS servers from
  4.2.1.15 to the latest version.  The ACS servers are
  applianced based.  I have browsed the download software page
  of cisco.com and have found this file:
  app/Acs_4.2.1.15.11.zip (ACS SE 4.2.1.15.11 cumulative
  patch).
  Can someone confirm if this is the latest/best file to download
  the latest 4.2 release of hardware based Cisco Secure ACS?
  For those who have upgraded to this latest release, can you
  comment on your experience regarding the upgrade process or
  ACS performance post-upgrade?  Any issues/caveats about the
  process or performance post-upgrade?
  Thanks in advance for any helpful information you can
  provide for this?
  Adil

  Hi Adil
  ACS  provides a migration utility to transfer data from migration-supported  versions of ACS 4.x to any ACS 4.x machine. The ACS migration process  requires, in some cases, administrative intervention to manually resolve  data before you import it to ACS.
  The Migration utility completes the data migration process in two phases:
  •Analysis and Export
  •Import
  In  the Analysis and Export phase, you identify the objects that you want  to export into 4.x. The Migration utility analyses the objects,  consolidates the data, and exports it.
  After  the Analysis and Export phase is complete, the Migration utility  generates a report that lists any data compatibility errors, which you  can manually resolve to successfully import these objects into new ACS.
  The  Analysis and Export phase is an iterative process that you can rerun  many times to ensure that there are no errors in the data to be  imported. After you complete the Analysis and Export phase, you can run  the import phase to import data into ACS.
  For complete step by step configuration, please go through this link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/common_scenarios.html

• Upgrade of ACS 5.4 to 5.5

  Need a sanity check on our proposed upgrade of our ACS. There is a preupgrade entitled  "Pointed-PreUpgrade-CSCum04132-5-4-0-46-0a.tar.gpg "
  which I'm not sure I need if I am running version 5.4.0.46.2.
  Here is the output from our CLI. Do I need the patch or can I install 5.5?
  Thanks,
  Paul
  Current:
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.4.0.46.2
  Internal Build ID : B.221
  Patches :
  5-4-0-46-2
  acs1/engine# show application version acs
  Cisco ACS VERSION INFORMATION
  Version : 5.4.0.46.2
  Internal Build ID : B.221
  Patches :
  5-4-0-46-2

  1. You must install the latest patch of ACS 5.4 that is patch 6.
  2. Since there is a known issue with ACS 5.5 upgrade so you need to apply the pointed patch. Please download the below listed patch from here - http://tools.cisco.com/squish/66c52
   -Pre-Upgarde ACS5.4 patch to address upgrade issue for defect "CSCum04132" 
    -Pointed-PreUpgrade-CSCum04132-5-4-0-46-0a.tar.gpg
     -Here is command to apply pointed patch - http://tools.cisco.com/squish/85363
  3. Run database compress - http://tools.cisco.com/squish/A93F0
  4. Perform application backup to be on the safer side - http://tools.cisco.com/squish/d9b2b
  5. Once you are done with the above process, please apply the
  ‘ACS 5.5 Application Upgrade Package’ – ‘ACS_5.5.0.46.tar.gz’
  download it from here - http://tools.cisco.com/squish/66c52
  6. Doc. on  Upgrading an ACS server from 5.4 to 5.5 -  http://tools.cisco.com/squish/f6415
  7. Apply ACS 5.5 patch 2
  NOTE:
  1. Please ensure that opt disk space should be below 30 percent (show tech | in opt)
  2. TFTP is not supported. It’s recommeded to use FTP.
  Hope this helps.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• ACS Appliance Upgrade

  I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?

  Hi,
  Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
  If I am not mistaken, the error you're getting was due to unavailability of distribution server.
  If you stuck with the image transfer, try to use CLI/console mode.
  Typicall upgrade method has 3 steps:
  1. Load new image (download from Cisco or using CD) onto a distribution server.
  2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
  3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
  Refer to the following url for complete upgrade processes & options:
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
  Rgds,
  AK

• ACS SE Database replication fails

  Hello, I recently upgraded our ACS SEs from 4.0 to 4.1. All appeared to go OK but I checked the logs recently and saw the the database replication is failing with the message:
  ACS '[hostname]'is running a different version of ACS - aborting.
  All ACS SE were upgraded at the same time and display the same versions when examining the Appliance Upgrade page. Does anyone have any ideas what the problem is?
  Thanks in advance.

  Hi, I am having a related problem but in my case I am using ACS for Windows ver.4.0. I am replicating from one primary ACS to three other ACS using scheduled nightly replication.
  The problem is that the data is being updated on all three ACS servers, but in the database replication logs on the primary I get messages stating that "ACS-server-name replication failed possibly due to short time-out or dead". Moreover, not all three servers timeout. Sometimes one server timeout, and other times two servers timeout, etc.
  On the replicated servers logs, the only log, in case server times out, shows that "replication cycle starting....". while when replication is successfull, it also shows Replication cycle completed successfully.
  I have played around with the timeouts but the result is random. I have also checked if there are any bandwidth issues, but replication is scheduled at night with minimal network traffic and the servers are also not being used for authentications.
  Don't understand why I don't see successful messages all the time, specially when the data does get updated on the replica ACS.
  Thanks.
  MAG

• If i cant upgrade to Lion how can i effectively use i cloud?

  If i cant upgrade to Lion how can i effectively use i cloud?

  OK paper weight is harsh, but i made the upfront investment to have longevity ....
  Reality:
  - We can't predict what Apple will do, we can only go on past behavior.
  - For the past decade Apple has stopped pretty much all support for anything except the current and previous operating system (OS) version.  Apple has brought out a new OS version roughly every 2 years.  This translates to roughly 4 years of update support.  In some cases Apple may stretch it a bit such as iTunes also still working under OS 10.5 (we're now on 10.7), but iTunes isn't an OS.   I do know with the recent malware incident Apple did not bring out a fix for any OS earlier than 10.6.  Now there's an interesting change ahead. Apple brought out Lion last year and is likely to bring out Mountain lion this year. We're now on a 1 year upgrade cycle. If Apple continues past pattern on only supporting the last two OS versions it means your OS basically only has an effective lifespan of 2 years instead of 4. Longevity?
  - Hardware.  We bought an iphone last December. I asked the person in the store about battery life. He said, "Oh, at least two years but you'll be thinking about getting rid of this one by then and getting a newer one."  Two years.
  I don't remember the exact criteria, but Lion won't run on the earliest Intel Macs (2006) and Mountain Lion likely won't run on some of the middle aged ones.  Snow Leopard (ca. 2009) won't run on any Mac made prior to 2006. Reviewing OS releases for the past 6 years or so it seems to me you get roughly 5 years before new OS releases won't run on your hardware any more.
  So, we have software support dropping out after 4 years or so (maybe now down to 2 years???) and hardware becoming obsolete after 5 years.  Is that longevity?
  Here are some other interesting articles:
  Vintage and obsolete products - http://support.apple.com/kb/HT1752  - Apple's official perspective.
  http://blog.macsales.com/10146-apple-further-restricts-upgrade-options-on-new-im acs - hard drive upgrade issues.

• ACS Cert Error

  Hi All
  I have a ACS SE, recently upgraded to 4.2. What I am seeing is a Cert error when trying to login to the admin interface using FireFox. I am can get throught after accepting a few waringins using IE but Firefox stops dead at the error <Error code: sec_error_reused_issuer_and_serial>
  Now I do have two ACS server, a primary and a secondary. If I delete the Cert from Firefox for the secondary ACS I can get into the primary until I loging to secondary then after importing the secondary cert the primary stops working again.
  I have already regenerated a Cert on the primary but it still seems to have the issue.
  It seems to be pointing to a duplicate serial number but both servers are SE's so it isn't like I imaged both servers and they are exact copies.
  Any help would be apreciated.

  Hi There,
  No I am not sharing the Cert and the Cert is self Signed. I am however replicating information between the two servers. Specifically the primary is sending "User and Group DB", "Distribution Table", "Interface Config", "Interface Security Setting", "Password Validation Settings" and "Network Access Profiles" to the Secondary.
  I am using Firefox 3.0.5.
  Thanks

• Problem with Downloadable ACLs on ACS 4.1(1) for Windows

  I'm currently able to logon to my internal network 192.168.4.0/24 but not able to get my incoming ACS downloadable ACL working. Combination:
  PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5.
  This is my list:
  permit ip host 192.168.4.200 any (where any can be 192.168.5.1 - 10)
  deny ip any any
  I'm still able to ping other machines in subnet 4 from source address 192.168.5.1
  I've already checked this link:
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=Subscriptions&loc=.2cd2949c/4&forum=Security&topic=Firewalling
  but in my config there is no statement:
  sysopt ipsec pl-compatible
  The only system option that I use is:
  sysopt connection permit-ipsec
  Does anyone have an idea?
  Regards, Peter

  The Downloadable IP Access Control List (ACL) feature found in Cisco Secure Access Control Server (CS ACS) for Windows versions 3.0 through 3.3.3 may allow an unauthorized user to gain network access through a Remote Access Server or Network Access Server (RAS/NAS).
  This issue has been resolved in CS ACS Version 4.0.1 as well as PIX version 6.3(5), PIX/ASA 7.0(2), Cisco IOS® Software Version 12.3(8)T4 and VPN 3000 versions 4.0.5.B and 4.1.5.B If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected.

• Cisco acs "manifest file not found" help

  srvacs01/admin# application upgrade ACS_5.5.0.46.tar.gz WCS
  Do you want to save the current configuration ? (yes/no) [yes] ? no
  6 [27522]: transfer: cars_xfer.c[54] [admin]: ftp copy in of ACS_5.5.0.46.tar.gz requested
  7 [27522]: transfer: cars_xfer_util.c[89] [admin]: ftp get source - ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[90] [admin]: ftp get destination - /storeddata/Installing/.1413207431/ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[109] [admin]: initializing curl
  7 [27522]: transfer: cars_xfer_util.c[122] [admin]: full url is ftp://10.222.15.196/acs5/ACS_5.5.0.46.tar.gz
  % Manifest file not found in the bundle
  srvacs01/admin#
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: srvacs01
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40.40
  Internal Build ID : B.839
  Patches :
  5-3-0-40-7
  5-3-0-40-9
  Pointed-PreUpgrade-CSCum04132-5-3-0-40

  Problem: "Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle" on ACS appliance during appliance upgrade
  The Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle error appears when an attempt is made to upgrade ACS Express
  Solution
  Complete these steps in order to upgrade the ACS appliance without any issue:
  Download patch 9 (5-0-0-21-9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg ) from: Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > 5.0.0.21
  After you install the two files, install the ACS 5.1 upgrade ACS_5.1.0.44.tar.gz. This is available from the same path from previous step.
  Use this command in order to install the upgrade:
  application upgrade <application-bundle> remote-repository-name
  This completes the upgrade procedure.
  Refer to Upgrading an ACS Server from 5.0 to 5.1 for more information on how to upgrade the ACS appliance.
  please refer the upgrading acs server 5.4 to 5.5, for complete process.