ACS 4.2 sybase issue

Hi All
I am currently have issue's with the SQL on a Windows ACS server 4.2. the error message is:
AUTH 24/01/2012 11:13:03 E 0092 2732 0x0 ODBC Operation faild with the following information: Message=[Sybase][ODBC Driver][Adaptive Server Anywhere]Specified database file already in use, SqlState=08001, NativeError=-816
The server has been rebooted and tried to start the services manully all to no avail.
Any help much appreciated
Regards Craig

Hi All,
The error code was "Internal error"
Thanks

Similar Messages

  • ACS 5.0 having issues with different subnet AAA Clients

    Dear All,
    I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
    I have checked the firewall between them, Its allow any any with all services.
    One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
    Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
    Working Switch with Same configuration:
    SW-A#test aaa group tacacs+ test cisco legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    User was successfully authenticated.
    SW-A#
    *Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
    *Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    *Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
    *Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
    *Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
    *Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
    *Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
    SW-A#
    *Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
    *Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
    *Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
    *Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
    *Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
    *Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
    *Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
    SW-B#test aaa group tacacs+ test cisco legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    No authoritative response from any server.
    SW-B#
    *Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
    *Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    *Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
    *Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
    *Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
    *Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
    *Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
    SW-B#
    *Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
    *Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
    *Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
    *Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
    *Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
    *Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    Waiting for your responses.
    Regards,
    Anser

    Ok, cool,
    So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
    I would guess that the ACS is reporting unknown NAS...
    Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • ACS database reporting permissions issue

    Hi,
    I have an issue with my testing of the ACS reporting in two test environments (SCOM 2012 SP1). One has SQL installed on the same server as the MS and the other is a separate SQL install on its own server with multiple MS’s. On both SQL servers
    the ACS database is running on the same server as the other SCOM databases under an instance called SCOM. When we go live the intention is to run on a separate SQL server so not sure if this would still be relevant at that point.
    First off all my normal reports are running fine from the console and from SQL reporting services. My understanding is that the reports are running under different contexts at this point – the web reporting with the account I am logged in
    with and from within SCOM console trying to use the data reader account.
     When trying from the web reporting services or SCOM console I get -
    “An error has occurred during report processing. (rsProcessingAborted)
    Cannot create a connection to data source 'dataSource1'. (rsErrorOpeningConnection)
    A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote
    connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)”
    With regard to the account I am using for the web reporting. It’s a domain admin account. However what I also did was create a global security group called “SCOMACS” and gave this group “db_datareader” permissions within SQL.
    I also gave the data reader service account permissions to see if this fixed the issue from the console.
    Wonder if anyone could help?

    Hi,
    This seems more like a SQL issue, please make sure your database engine is configured to accept remote connections
    • Start > All Programs > SQL Server 2005 > Configuration Tools > SQL Server Surface Area Configuration • Click on Surface Area Configuration for Services and Connections • Select the instance that is having a problem > Database Engine >
    Remote Connections • Enable local and remote connections • Restart instance 
    Please go through the below blog to troubleshoot this issue:
    Named Pipes Provider, error: 40 - Could not open a connection to SQL Server
    http://blogs.msdn.com/b/sql_protocols/archive/2007/03/31/named-pipes-provider-error-40-could-not-open-a-connection-to-sql-server.aspx
    SQL SERVER – FIX : ERROR : (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server) (Microsoft SQL Server, Error: )http://blog.sqlauthority.com/2009/05/21/sql-server-fix-error-provider-named-pipes-provider-error-40-could-not-open-a-connection-to-sql-server-microsoft-sql-server-error/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Hope this helps.
    Regards,
    Yan Li
    Regards, Yan Li

  • ACS 5.2 reporting issue

    Dear,
    Concerning the user field (and other too), is it possible to use some sort of wildcard ?
    I am having a hard time making reports for several users, for example :
    I want to make a "radius session history" report for all PC's starting with host/PO1212
    how do I do this ? I can't imagine this isn't possible in ACS.
    Lieven Stubbe
    Belgian railways

    Hi,
    We have been testing wireless telephony with Ascom i62 wireless handsets using EAP-TLS. Initial dot1x authentication is successful. Reauthentication sometimes fail on Cisco ACS Version 5.2.0.26.5
    The same error mesage was displayed.
    22047 Principal username attribute is missing in client certificate
    Only rebooting the phone fixes this issue.
    Are we hitting bug CSCtn26538 ?
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn26538&from=summary
    Best regards,
    Peter

  • LMS 3.2 and ACS 5.1 authentication issues

    Hi all,
    Installed LMS 3.2 (running Common Services 3.3.0) and i'm having problems authenticating. I get the error :-
    -Tacacs+ Connectivity - Reachable
    -HTTP/HTTPS Connectivity - Not Reachable...Protocol mismatch detected.
    AAA client - Not Applicable
    Secret Key Verification - Not Applicable
    System Identity User - Not Applicable
    Note Verification failed for ACS server. Please check your settings.
    Ive tried both http and https with the same result. Now i understand that integration as we know it is no longer supported but still having issues with authentication which should work. See links to other threads below. Any suggestions welcome.
    Regards
    https://supportforums.cisco.com/message/675371#675371
    https://supportforums.cisco.com/message/3106459

    LMS cannot integrate with ACS 5.x.  You must set the AAA mode to local, then you can configure the TACACS+ login module to do authentication only with the ACS 5.x server.  This will not get you customer roles nor device level access, but you can at least centralize your user credentials on the ACS server.

  • ACS 5.2 Authentication Issue with Local & Global ADs

    Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
    - Wireless Users >> Cisco WLC >> ADs <-- everything OK
    - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
    Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
    Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
    For the user from the old group, authentication is ok.
    For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
    Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
    Can anyone advice to troubleshoot the issue?
    Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
    How can we check or make sure it?
    Thanks ahead,
    Ye

    Hello,
    There is an enhacement request open already:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
    ACS should be able to query only desired DCs
    Symptom:
    Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
    It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
    Conditions:
    Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
    Workaround:
    Make sure ALL DCs are UP and reachable from the ACS.
    At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
    Hope this clarifies it.
    Regards.

  • ACS 4.2 replication issue

    We recently upgraded to ACS 4.2. All works perfectly except for replication. I now receive an error
    ACS Internal Database Replication Errors
    1.To disable receiving of EAP-FAST replication component, "EAP-FAST master server" must be enabled on "Global Authentication Setup" page
    We are not using EAP-FAST and it doen't appear to be enabled. EAP-FAST is not checked to replicate.

    I looked at that when I first got the issue. It saya that the server is Master. If I tick the box nothing changes and when I go back to that "Global Authentication" page the box is no longer ticked. The issue is the same on both the Primary Server and the Backup Server.

  • ACS SAN EAP-TLS Issue

    Hi,
    we have an issue with eap-tls authentication with SAN (Subject Alternate Name). The authentication uses the CN instead of SAN.
    Our enviroment is so build:
    1 LWAPP Cisco AP
    1 WLC & 1 WCS
    1 ACS (4.2.(1) Build 15 Patch 3)
    1 CA (Certification Authority enTrust)
    1 Windows 8.1 Client
    The ACS global authentication configuration is attacched to the discussion.
    The ACS certification is loaded correctly and the CA is trusted.
    On the client the user certificate is correctly loaded.
    In the Failed Attempts I can found in the username field the CN of user's certificate but i cannot see the SAN.
    Thanks in advance

    It should not happen, Please check the error codes from here
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.3/troubleshooting/guide/ecodes.html

  • ACE ACS TACACS+ Key Mismatch issue

    Goodday,
    I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
    We have confirmed that the key we are using is the same on the ACE and on the ACS.
    The question I have is as follows:
    Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
    So config entered something like this:
    tacacs-server host 10.10.10.10 key mysharedkey
    aaa group server tacacs+ acs_pri
    server 10.10.10.10
    aaa authentication login default group acs_pri local none
    BTW, we are running version 2.1.4(a).
    Thanks for any assitance with this.
    Paul

    Hi Kevin,
    Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
    On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
    This is my concern.
    We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
    The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
    See my problem...
    Thanks again for the assistance and any further guidance would be appreciated.
    Paul.

  • ACS PROBLEM FOR CERTIFICATE ISSUE

    Hi all
    I have an ACS(Access controller server)installed for PEAP authentication.I have installed in 5 different location.But sometimes we need to install the certificate again.Then only it start
    working.Some ACS will work properly.What could be the reason.Did any one faced this problem.

    Did you happen to install patches on the server? I seen this issue when patches get installed...

  • ACS server migration AD issue.

    AD issues while migrating from cisco ACS 4.x to 5.x? AD base authentication failure

    Hello Pratik-
    A few questions:
    1. Did you disconnect the old server to make sure that there are no conflicts?
    2. Did you clear the arp-cache on your layer 3 device to ensure that the new IP-to-MAC entry is in the arp table
    3. Did you join the new ACS server to AD?
    4. What does the authentication logs show in ACS for the filed AD authentications
    5. Post the output of the "show authentication session interface interface_name_number" of the interface with the failing dot1x authentication
    Thank you for rating helpful posts!

  • Configuring ASA w/8.2(1) to work with ACS 3.3- enable issues.

    Hello all-
    Having an issue with the ASA devices. Here is the relevant part of the configuration:
    <aaa commands>
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (outside) host <host ip>
    key <key>
    aaa-server TACACS+ (outside) host <host2 ip>
    key <key>
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication http console TACACS+ LOCAL
    aaa authorization command TACACS+
    The problem is that when we put the devices into the server database, we can use our TACACS+ accounts, but it only lets us into privilege level 1 and does not allow us to go to enable mode at all.
    When we remove the devices from the server (thus attempting to fall back to local authentication) we can get in and into enable using the local admin password, but we can't do anything from the enable mode with out getting the 'command authorization failed' message.
    We have tried to go into the user definition on the ACS (v3.3) server and set the max privilege to 15, but it doesn't seem to have any affect.
    Does anybody have any idea of what is happening?

    well well , i guess you are getting the lovely enable 15 user account on ACS failed attempts for failed authorization.
    so cool ha:)
    It is the ASA trying to force the authorization using that lovely account , what you need to overcome that is having the enable authentication done against the ACS itself.
    By adding the following command on the ASA:
    aaa authentication login console TACACS+ local
    on the ACS make sure that enable password authentication is enabled for the user.
    There you have three options: either you use the same PAP password or spearate one or if you are trying with user
    defined on external db with that user password on the external db.
    Please Don't Forget to rate correct answers

  • ACS to ISE config issues

    Hi,
    Im trying to migrate VPNS from ACS to ISE but i cannot quite get used to the ISE.
    Below is a picture of my Authentication rule id like replicating on ISE but so far i have had no joy. Any points would be greatly received.
    If the network source IP is trusted Rule 1 is hit and ISS is just use AD
    If the network source IP is untrusted Rule 2 is hit and ISS is just use OTP Then AD
    Im not 100% on the authorisation aspect either.
    I think im want something along the lines of Ad:Group/x/x/x/x and TunnelGroup xxx = Permit/Apply ACL else Deny
    I can pass authentiation from the ASA to ISE, one thing i have noticed in the aaa report, in the AV pairs the tunnel group name is not listed.
    Many thanks in advance
    S

    Hi
    FYI
    Cisco Secure ACS and Cisco ISE exist on different hardware platforms and have  different operating systems, databases, and information models. Therefore, you  cannot perform a standard upgrade from Cisco Secure ACS to Cisco ISE. Instead,  the Cisco Secure ACS to Cisco ISE Migration Tool reads data from Cisco Secure  ACS and creates corresponding data in Cisco ISE.
    For migrating the policies, and all other information, please visit the following link particularly the chapter 3,4,5:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/migration_guide/ise_migration_guide/ise_mig_preface.html

  • Cisco ACS Rouge IP Address issue

    we have had rogue IP 192.168.0.1 used for quite a while, I traced it through MAC tables to the ACS. Only one connection (cable) is used that is already using 192.168.0.35 like it should be but also using 19.168.0.1.
    Have confirmed by failing to ping 192.168.0.1 with ACS unplugged. Rogue IP address is not listed anywhere in the GUI, must be on CLI somewhere. I do not have access to CLI or what could be an issue

    Hi teymur,
    I am assuming that you are working with ACS 5.5 version. Please go through the following link that will cover all the information regarding step by step configuration of Backup deployment and licensing in ACS 5.5.
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#wp1052728

  • Issue with changing Access Service in ACS 5.2

    Hi,
    I am working on lab setup where I installed ACS 5.2 I created new access service and used it in existing service selection rule (Rule-2) earlier but it didn't work. Later I created new service selection rule and applied new service access rule. However even after this change it keeps applying predefined default access access service. Please refer attached picture for better understanding.
    As shown, I want Aks-Rule to work and apply service 'Lab-Policy' however it keeps referring Rule-2 and applies 'Default Device Admin' access service even after I disable it. 
    I have to restart ACS service from CLI console to make it work. Is this a bug or am I missing anything. Please advise guys.
    Regards,
    Akshay

    Since the policy AKS is top in sequence under service selection rule so it should hit for sure. As you wrote that even after disabling the default device admin, then also request is hitting the same and restarting the ACS services resolved the issue. The symptoms of your issue are exactly same as stated in this defect.
    CSCuo93378    Certain browsers cause ACS database corruption
    Due to this issue we have seen cases where request hits the disable and default policies without any reason. Actually accessing ACS via chrome mess around with all the operators in conditions.
    The only workaround is to access all the rules and conditions in supported browser. Ensure all the operators are correct, save the changes and restart the ACS services.
    The issue seems to be fixed in ACS 5.5 patch 5
    Regards,
    Jatin

Maybe you are looking for

  • Error in Boot strap

    Hi all, I am getting this error , I am clearing all my event viewer , but still am not able to get into database engine and ssas. Kindly help me . Overall summary:   Final result:                  Failed: see details below   Exit code (Decimal):     

  • Failing to create new SQL farm with FSconfig.exe for ADFS federation Services on an Azure SQL

    I'm building ADFS in Azure. My plan is to use the Azure SQL. The problem is that FSconfig seams not to work with Azure SQL. Here's what i did untill now: - I followed the documentation and created a new login and user (adfslogin, adfsuser) in a new "

  • Payload Factory for ADT

    oracle.jms.AQjmsException: JMS-137: Payload factory must be specified for destinations with ADT payloads I get this exception when i try to create the receiver with : session.createReceiver(inQueue) Where can i get the Payload Factory for ADT? thanks

  • I can't find my country in facetime or imessages?

    hello i have an ipod touch 4 i open facetime and imessages i sign in , then it tells me to choose a country or region but i can't find my country please help thank you

  • Read large binary file

    How would you read a large binary file into memory please? I had a thought about creating a Byte Array on the fly, however you cannot createa byte array with a long so what happens when you reach the maximum value an integer can store?