ACS 4.2 Replication

Similar Messages

• ACS 4.2 replication issue

  We recently upgraded to ACS 4.2. All works perfectly except for replication. I now receive an error
  ACS Internal Database Replication Errors
  1.To disable receiving of EAP-FAST replication component, "EAP-FAST master server" must be enabled on "Global Authentication Setup" page
  We are not using EAP-FAST and it doen't appear to be enabled. EAP-FAST is not checked to replicate.

  I looked at that when I first got the issue. It saya that the server is Master. If I tick the box nothing changes and when I go back to that "Global Authentication" page the box is no longer ticked. The issue is the same on both the Primary Server and the Backup Server.

• ACS SE Database replication fails

  Hello, I recently upgraded our ACS SEs from 4.0 to 4.1. All appeared to go OK but I checked the logs recently and saw the the database replication is failing with the message:
  ACS '[hostname]'is running a different version of ACS - aborting.
  All ACS SE were upgraded at the same time and display the same versions when examining the Appliance Upgrade page. Does anyone have any ideas what the problem is?
  Thanks in advance.

  Hi, I am having a related problem but in my case I am using ACS for Windows ver.4.0. I am replicating from one primary ACS to three other ACS using scheduled nightly replication.
  The problem is that the data is being updated on all three ACS servers, but in the database replication logs on the primary I get messages stating that "ACS-server-name replication failed possibly due to short time-out or dead". Moreover, not all three servers timeout. Sometimes one server timeout, and other times two servers timeout, etc.
  On the replicated servers logs, the only log, in case server times out, shows that "replication cycle starting....". while when replication is successfull, it also shows Replication cycle completed successfully.
  I have played around with the timeouts but the result is random. I have also checked if there are any bandwidth issues, but replication is scheduled at night with minimal network traffic and the servers are also not being used for authentications.
  Don't understand why I don't see successful messages all the time, specially when the data does get updated on the replica ACS.
  Thanks.
  MAG

• ACS internal database replication

  I have setup ACS internal database replication and it works once then the secondary config is overwritten and doesn't contain the AAA server of the primary.
  primary               - 10.100.253.25
  ACS 1113 running 4.2
  secondary          - 10.100.253.26
  ACS 1113 running 4.2
  Example of before and after
  Before replication
  The primary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs2 - 10.100.253.26
  The secondary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs1 - 10.100.253.25
  After replication
  The primary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs2 - 10.100.253.26
  The secondary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs2 - 10.100.253.26
  therefore after the first replication subsequent attempts will fail because the secondary won't accept attempts from unknown AAA servers. Is this to be expected or can I mitigate it in someway?

  Please try setting the original ip address by using "Set ip" Command from the console connection of the ACS Solution engine. Once you successfully changed the ip address, you can apply the patch 11 or above (latest is patch 16) on the ACS SE (This will fix the problem).
  In majority of cases set ip command fails but sometime works too.
  In case it doesn't help then we have 2 options:
  1.] Open a TAC case, send the database file to delete the entry.
  2.] If you are not intrested sending your database then try the below listed steps:
  In order to remove the loopback entry from the Database, we need to follow following steps,
  Please download ACS 4.2 trial from following link, if you do not have ACS Full version for Windows purchased.
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval- eval-ACS-4.2.0.124-SW.zip
  [1] Install eval version on Windows 2000/2003 server. Please also ensure that JAVA is installed on that server.
  [2] Take a backup from ACS SE from, System Configuration > ACS Backup >Backup Now.
  [3] Restore the database backup on ACS eval.
  [4] On eval ACS , go to Network Configuration > find the AAA Server entry with 127.0.0.1 entry. Edit it and give it some other IP for
  example, 1.1.1.1. Submit + Apply.
  [5] On eval, Restart CSAdmin service.
  [6] On eval, go back to Network Configuration and search for the changed IP address and delete that entry, Delete + Apply.
  [7] Take a backup from eval ACS, System Configuration > ACS Backup > Backup Now.
  [8] Restore the database backup from eval ACS into ACS SE from option, System Configuration > ACS Restore, choose the database backup. Check Check option "User and Group Database" and "CiscoSecure ACS System Configuration", then press Restore Now.
  [9] On ACS SE, go to Network Configuration, make sure that 127.0.0.1 entry is not there and for ACS SE's hostname we have the correct IP address. Go to Proxy Distribution Table > (Default). Move the server’s hostname entry that has correct IP for this ACS SE into "Forward To" column, if not already. Then press "Submit + Restart".
  Reference defect, CSCso36620 - Toggle nic command changes AAA server ip address to "127.0.0.1" in GUI.
  Regards,
  Jatin
  Do rate helpful posts-

• ACS 4.1 replication error

  Hi netPro,
  when i start the replication that's an error ,
  ACS Internal Database Replication Errors
  Number Error
  1 'User and Group Database' and 'Group Database' cannot be replicated together
  what does it means ?
  thanks.
  regards,
  Jack

  Hi Jack,
  Under database replication components, either select "user and group database" or "group database only"..You can't have both selected, as first option include the other..
  regards
  Hamid

• Problems witch acs 4.2 replication

  i installed the primary and secondary server.
  i see only one problem in the logs.
  when i try to replicate
  i get this :
  cisco acs 01/04/2012 23:50:58 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:40:25 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:29:51 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:19:16 NTVMEM73 INFO
  further no issue
  can someone helps me

  Hello,
  There are still important files missing. Are both ACS servers configured for Full Detail of logging?
  Also, are you selecting the following when collect the package?
  There are still missing files on the package.cab file that I need. Please try again with the above settings.
  Regards

• Cisco ACS 4.2 Replication No Synchronization Partner

  I have two ACS 4.2 configured as expected for replication but Primary ACS does not show any synchronization partner either on the left or right. The Secondary ACS does have synchronization partner listed. What could be the reason for this?

  This has been resolved

• ACS Engine Hanging / Replication Problems

  I have two ACS 1112 Appliances running the latest software (Release 4.0(1) Build 42). Each appliance seems to run fine on its own. However, after setting up and successfully performing replication, the second ACS will not fully reboot. It says CSAuth did not start. 'show' usually shows the cpu at 100% with the services in various states of stopped, stopping, or starting. The web interface is unavailable. Another thing I have noticed that I think may have something to do with it is the status of the remote agents in the network device table. After replication, (and before rebooting) I can click on one successfully on the original machine, but when I attempt to click on one on the second appliance, I get a 404 browser error, and my ACS session is closed. I have to log back in to do anything else. Right now, I am rebuilding the second appliance from the cd (for the 15th time) to attempt replication with no remote agents defined to make narrow down the problem. Also note that if I manually add a remote agent on the second appliance, I am able to get to its properties with not problems. I am only not able to get to replicated entries' properties. Thanks in advance for any help.

  Well, forget about the remote agents. The primary appliance has a very basic config. The only things in the network device table are itself and the other ACS. They each have the correct settings and the same key. The backup ACS has no configuration settings, except the ACS settings in the network device table and the appropriate replication settings. After a successful replication from primary to backup, and a reboot of the backup--it will not start back up. The CPU is at 100% and the services look like this:
  CSAdmin stopped
  CSAuth starting
  CSDbSync starting
  CSLog stopping
  CSMon starting
  CSRadius starting
  CSTacacs starting
  CSAgent running
  thanks.

• Replication overwrites the AAA servers table in the secondary server

  Hi,
  I've configured two ACS servers with replication but i noticed that when the replication takes place it overwrites the AAA servers table configured in the network configuration of the secondary server and that makes the next replication to fail because the two servers have the same configuration of AAA servers, if i uncheck the "Network Configuration Device tables" and the "Network Access Profiles" from the "Database Replication Setup" wich includes the AAA servers table I also missed the replication of the new network devices that are added in the master server.
  Do you know how can i exclude only the AAA servers table from the replication??
  Other thing is that I configured the Outbound replication as "Automatically triggered cascade", I'm not sure if this means that at the exactly moment that there is a change on the primary server it will replicate it to the secondary???? because if that is the case it is not doing it.
  Thanks in advance for your help

  Hi,
  I understand, thanks alot for making that clear!.
  I now have another situation and i was wondering if you can help me, i made some changes in the AAA servers trying to solve this situation but i wasn't able to, so i leave again the servers in the same way that they were configured by the time the replication was working but now it is not, in the master server i get this message:
  ERROR ACS 'LACSLVBCDVAS007' has denied replication request
  and in the second server i get this:
  ERROR Inbound database replication from ACS 'lacslvbcpvas011' denied - shared secret mismatch
  I've checked the same key configured for both and are the same, i've deleted the AAA servers and the configure them again, restart the services but the problem remains, dou you have any idea what this could be??
  Thanks in advance for your help.
  Best Regards,

• Best practises for replication

  Hi,
  I want to know what is best practise for duration of replicaation of database between two Cisco ACS.
  Regards,
  Atif.

  Hi Atif,
  The replication time interval should always be higher.
  Reason: Everytime you replicate the data it requires ACS services to restart so doing this frequently may affect your production enviroment.
  However, if you want to replicate internal user's password then there is an option to replicate password changes right awayvwithout a full replication.  You can enable this option under System Configuration -> Local Password Management.  With this enabled you could potentially set the replications to a larger interval.
  It also depend how often you do changes in your ACS. If its normal then I would say set it to every sunday 12:00 PM.
  This is how replication happens:
  The primary ACS stops its authentication and creates a copy of the ACSinternal database components that it is configured to replicate. During this
  step, if AAA clients are configured properly, those that usually use the primary ACS fail over to another ACS. The primary ACS resumes its authentication service.
  After the preceding events on the primary ACS, the database replication process continues on the secondary ACS. The secondary ACS stops its authentication service and replaces its database components with the database components that it received from the primary ACS. During this step, if AAA clients are configured properly, those that usually use the secondary ACS fail over to another ACS. The secondary ACS resumes its authentication service.
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• ACS Database Replica

  Dear All,
  i could not find the second ACS in my Replication Partners, while i m trying to add from
  Database-Replication

  Did you manually add primary acs server on secondary acs in network configuration?
  On Primary you need to add secondary and vice versa.
  Regards,
  ~JG
  Do rate helpful posts

• Configuring ACS (windows) primary on new server

  we have primary and secondry acs severs. suddenly replication between primary and secondry is not happening. I am unable to troubleshoot this, so we have decided to install and configure acs freshly. but almost 350 devices are configured in network device groups. reconfigure the entire network database is difficult and time consuing.
  Is there any method to copy the NDGs to new server.
  help will be greatly appreciated.

  Can be done via RDBMS,
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html#wp756877
  Let me know if you have any question.
  Regards,
  ~JG
  Do rate helpful posts

• ACS load balancing

  if i have CSS and i want to load balance between 2 ACS . do i have to make one of them active and seoncde backup or i can load balance between bother server .
  if yes is this will not effect the authentication and databse .
  if there is any artical it wile be more better

  Hi,
  Cisco ACS has a replication feature that allows you to have more than one (1) ACS servers/appliances to provide high-availability/ redundancy. In this case, you will have one primary and more than one secondary (backup) servers.
  The database replication creates mirror systems of ACSs by duplicating parts of the primary ACS setup to one or more secondary ACSs. Without load-balancer, you need to add both primary and secondary ACSs in all AAA clients as backup if the primary ACS fails or is unreachable. With a secondary ACS whose ACS internal database is a replica of the ACS internal database on the primary ACS, if the primary ACS goes out of service, incoming requests are authenticated without network downtime, provided that your AAA clients are configured to fail over to the secondary ACS.
  The following url provides you with details on how the ACS replication is performed:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sad.htm#wp756102
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/index.htm
  I am not sure about load-balancing two ACSs, but you probably can try this. Behind a load-balancer, maintain the primary/secondary server setup to enable replication (selected items only) from primary to secondary ACS. But pls bear in mind, in replication, only the Primary ACS can send update to backup server, not bidirectional. Backup/secondary ACS can only receive updates. Use the replication features as an update tool between the servers. All changes/updates must be made in your primary ACS only.
  In normal ACS replication, all AAA clients need to specify primary and secondary ACS server as backup. With load-balancer, only one (1) IP need is required, which is the virtual IP assigned by load-balancer to represent the two ACSs.
  Rgds,
  AK

• Two ACS4.0 box using win- can connect with cross over cable

  Hi
  we have 2 ACS4.0 box, internal replication is happening between ACS1(prim) to ACS2(sec) but not ACS2 to ACS1 why?
  Also I need 1 suggesion, whether we can connect 2 ACS boxes through cross cable for sync.
  At present it is connected with 2 diff cores(ACS1 to core 1 & ACS2 to core2) and cores are interconnected.
  What is the normal practice.
  Regards
  Naga

  Hi Naga,
  The purpose of Replication in ACS is for the Primary Server to overwrite the secondary server's settings that you have chosen.
  This is by design Replication is meant to be one way and not bi-directional.
  The Cisco Secure ACS Solution Engine supports the operation of only one Ethernet connector at a time. Concurrent operation of both Ethernet connectors is not supported."
  To get redundancy with any ACS - you need replication setup with TWO ACS, it is not
  possible to setup a NIC failover in the same chasis.
  Regards,
  Jagdeep

• RDBMS Synchronization

  The user guide for ACS for Windows ver4.0 states that Cisco ACS can use RDBMS to synchronize its database with a third party RDBMS system and only one primary ACS server needs to interact with the third party system and the other ACSs in the network can be updated by this primary ACS using RDBMS synchronization.
  However, like many other features that suppose to work (e.g. domain stripping for MS AD) this too does not seem to work and there is no detailed documentation on how it actually does it.
  The procedure stated in user guide fails and there are gaps in the documentation.
  Can someone refer to any documentation other than the User Guide for instructions/details of this functionality?
  Thanks in advance.

  I think the easiest solution is to have a single ACS that is populated via RDBMS Sync. This ACS becomes the replication "master" that then pushes its config down to a set of "slaves".
  That is the easiest method but replication is a destructive write onto the slave - so you may choose not to do this.
  An alternative is to use the Sync Partners config (part of RDBMS Sync) which attemtps to process actions in the sync table on multiple ACSs. For this to work you need the "other" ACSs to have the RDBMS Sync'ing ACS server in their network config db.
  You need to make sure that ACS can write to the transaction table too (note CSV datasources no good) in case one of the other ACSs is down.
  If you're having problems check the rdbms sync CSV & service log on the "master" ACS and the csauth service log on the "slave" for errors.