ACS 5.3 connected to AD

  So we have this problem that just started, I can replicate the issue as well, if a user makes a mistake on typing there password after 1 attempt ACS sends 3 to AD locking out the user.
  In a putty or secureCRT session after 1 password failed attempt, I am unable to retry with that same session. Any thought suggestions.
  The issue seems to be that after 1 bad password attempt, from the client side I am unable to get another try.
Jeff                  

HI Jeff,
We have a bug filed for this issue and it is fixed in 5.3.patch 3
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCtz03211
Regards,
~JG
Do rate helpful posts

Similar Messages

  • SCOM 2012 ACS agent Failed connecting to collector

    Hi,
    We are using SCOM 2012 on Windows 2012, when installing the SCOM agent with Audit Collection Services the ACS forwarder will report in as healthy until reboot, after reboot the forwarder state changes to failed to connect to collector. (XXX's are redacted
    system information).
    Forwarder unsuccessfully tried to connect to the following collector(s): XXXXXXXX:51909, status: 0x80090322 (TCP connect), source: registry addresses tried: XXX.XXX.XXX.XXX:51909 If the list of collectors is blank, then AdtAgent was unable to locate a collector.
    Common reasons for this message are: The machine(s) listed is not online AdtServer is not running on the machine(s) listed AdtServer on the machine(s) listed is not listening on the specified port TCP connectivity to the AdtServer machine is blocked by firewall,
    IPSec, or other filtering mechanism AdtServer on the machine(s) listed actively refused the connection (due to policy or current activity load) For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log
    in the \temp subdirectory of the Windows directory.
    Enabling trace logging repeats the same error, unable to connect to server. We have verified, the IP is correct, the FQDN is correct and has a forward and reverse lookup record. We have also verified via telnet that port 51909 is open in both directions.
    Any help would be appreciated.

    If you are 100% sure port 51909 is open at Collector's side (you don't need to open it on ACS forwarder) and there's no additional firewall somewhere at the middle use wireshark and capture what's going on. 
    --- Jeff (Netwrix)

  • Primary Cisco ACS - Invalid Administration Connection

    Is it possible to change Access Policy from command line?

    Access policy can't be modified from CLI. This could be computer specific issue. Have you tried accessing ACS GUI page from different machines?
    If its machine specific issue then you may check few things
    If we are using Proxy server then make sure that the proxy server's ip address is allowed, check the proxy server settings from:
    Pull up a web browser > Tools > Internet Option > Connections > LAN Settings
    Make sure that we have JAVA installed, and also go to Control Pannel > choose JAVA> Network Settings > And make sure its using browser settings.
    Also, if its working from other machines, I would suggest you to use the HTTP port allocation feature to configure the range of TCP ports
    that ACS uses for administrative HTTP sessions.
    HTTP Port Allocation for Administrative Sessions:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/Overvw.html#wp821288
    Regrads,
    JK
    Plz rate helpful posts-

  • ACS - Invalid Administration Connection

    I'm having a problem logging on to my ACS gui, I get the message above. No changes have been made to my system or the ACS since it was working last week. It's not that I am coming from an invalid IP address, as we have not set this to filter by IP. Nor is it that we use a proxy server.
    I have tried other browsers but that also doesn't work.
    Any ideas?

    For issue on 5.1,I suggest you try the following commands from the CLI to see if they can help:
    acs-config (then login with ACS administrator username and password)
    access-setting accept-all     /// opens up all IPs for web access
    If this still doesn't work can also try the following command:
    reset-management-interface-certificate
    BTW, before you saw this problem did you make any changes to access settings (
    System Administration > ... >
    Administrators >
    Settings >
    Access) or the server certificate assigned for management access

  • Linksys WAP54G connecting to CISCO ACS via LEAP

    I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
    Connection scenario:-
    Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
    Pls advise if such setting is feasible.
    Tks

    This is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
    As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
    If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
    One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
    Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
    Bruce Alexander, Cisco

  • ACS database connectivity

    Dear Sir
    I have planned to connect my ACS server to external database (oracle 10g) in order to perform this case would you please let me know how I would be able to connect ACS to oracle. It is considerable to say that I have read some Cisco document about this case but still there is some problem. I would be happy if you let me know your comment.
    With best regards
    Hamed yazdi

    Dear Sir
    Billion thanks for your kind reply. Whatever you have mentioned I did, and at the moment my ACS server can connect to my Oracle server but there is another question which I want to create a table which conation username and password of those who want connect to the network via ACS but I do not know which name I should assign to the table and where I should defined to ACS which check the username and password. In other word how should I define to ASC that which table it should check in order to recognise the users has permission or no. I would be happy if you let me know your comment.
    With best regards
    Hamed yazdi

  • ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group.

    Hello.
    Have some issues, with ssl vpn on ASA 5515-X.
    I have ASA (9.1) connected to the  ACS (5.4) and configured anyconnect mobile client and clientless ssl web portal. ACS also have connection to Active Directory.
    So it's configured that AD users from group, for example, VPN_clients could connect via anyconnect client or without client via SSL web page. And it's working fine.
    My goal is that to make different SSL portal bookmarks (in terms of ASA different Group Polices) according to AD user group.
    For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that users from these group after authentication at SSL web portal would see only their own bookmarks available only for their group.
    As i inderstand after authentication process ACS must answer to ASA which AD groups the user consist of and ASA must choose the right group policy for the user, but i have no experience how to make this?

    Hello Ivan,
    You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.
    Steps on ACS:
    1- Defined AD groups:
    2- Define the authorization profile under the Policy Elements tab:
    3- Create the Authorization policy and access criteria:
    Then, on the ASA:
    1- Create a group-policy and name it it.
    2- Through the ASDM, create and assign the bookmarks to this group-policy.
    3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".
    4- The ASA looks for the group-policy it and assigns it to the user's session.
    Let me know if you have any questions.
    HTH.
    Please rate any helpful posts.

  • ASA to ACS: how to distinguish different authentication methods?

    I have SSL VPN Clients connecting to an ASA 5520 using RADIUS to a backend Cisco ACS. I want to support two authentication options for the clients. The first is a certificate combined with an Active Directory username & password. The second is a token-name & one-time-password.
    Setting these two authentication methods up on the ASA is no problem ... I can configure user selectable connection profiles that have the wanted authentication settings. The ACS can handle both the AD and token credentials.
    Here's the problem. I need to be able to distinguish on the ACS if a connection request was certificate authenticated or not. I don't want users choosing to do a token/OTP connection and then entering in their AD credentials instead. the ACS won't know that this AD authentication request wasn't properly combined with a certificate.
    I've used NAR settings in the past to control what user databases an AAA client can authentication against, however, if the two authentication methods are coming from the same AAA client (the ASA), what can I do?

    I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
    Regards,
    ~JG

  • ACS 4.1 cannot set IP

    i have reset the ACS Appliance, after that i cannot set the IP address. it return error when i try to set the IP address. any solution?

    Hi There,
    In order to resolve this issue, make sure that Cisco Secure ACS Solution Engine (ACS SE) is connected to a Ethernet connection that works before you set or change the IP address of your ACS SE.
    Complete these steps in order to reconfigure the IP:
    1. Log in to the ACS SE. Refer to the Logging In to the Solution Engine From a Serial Console section of Administering Cisco Secure ACS Solution Engine for more information.
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps5338/products_installation_guide_chapter09186a008070c61b.html#wp1042941
    2. Type set ip, and then press Enter.
    3. At the Use Static IP Address [Y]: prompt, type Y for yes or N for No, and then press Enter.
    4. If you answered No to the use of a static IP address, the system displays a confirmation of DHCP and the message IP Address is reconfigured. Continue the procedure with step 5.
    If you responded Yes in the previous step to use a static IP address:
    1. In order to specify the ACS SE IP address, at the IP Address [xx.xx.xx.xx]: prompt, type the IP address, and then press Enter.
    2. At the Subnet Mask [xx.xx.xx.xx]: prompt, type the subnet mask, and then press Enter.
    3. At the Default Gateway [xx.xx.xx.xx]: prompt, type the default gateway, and then press Enter.
    4. At the DNS Servers [xx.xx.xx.xx]: prompt, type the address of any DNS servers you intend to use (separate each by a single space), and then press Enter.
    Result: The system displays the new configuration information and the message:
    IP Address is reconfigured.
    5. Review the information presented and, at the Confirm the changes? [Y]: prompt, press Enter.
    Result: The ACS SE restarts. The system displays the message:
    New ip address is set.
    Refer to the Reconfiguring the Solution Engine IP Address section of Administering Cisco Secure ACS Solution Engine for more information.
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps5338/products_installation_guide_chapter09186a008070c61b.html#wp1109621
    Hope this helps!
    Srinivas.

  • Acs se aaa server problem

    HI
    I have installed acs se for peap authenetication in a wireless network .
    however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
    The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
    Pls help me to get this fixed

    Hi.
    The name of the ACS SE listed in AAA Server section is "self".
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
    "In ACS SE, the name of the machine is listed as self."
    "deliverance1" is the default ACS SE name(hostname).
    Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
    NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
    In order to correct this issue, follow following steps:
    [1] On ACS hardware/appliance go to,
    Reports and Activity > Appliance Status Page >
    From "NIC Configuration", copy the IP address of the ACS SE.
    Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
    Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
    Note down the "Name" against the Ip address of the ACS SE.
    Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
    And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
    [2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
    System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
    Establish Serial Console connection to ACS SE,
    Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
    [3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
    Now, the correct IP address will be associated with the correct hostname.
    Regards.
    Prem

  • ACS HOW TO USE ADINFO

    Hello,
    I need to see which domain Controllers that the ACS is communicating With. I tried;
    XXXACS02/admin# acs troubleshoot adinfo --server
    This command is only for advanced troubleshooting and may incur a lot of network traffic
    Do you want to continue?  (yes/no) yes
    server1.domain.no
    The server1.domain.no is a server located at another location, so I don't think this is the primary server the ACS is talking to. Any other commands that would give the output?

    The server location would not matter if default AD and ACS AD configurations are used. Unless something has changed, ACS uses DNS to resolve all of the available domain controllers. You can use the following command to list all of the DCs that ACS is querying:
    acs troubleshoot adinfo --test
    Then you can use this command to see which one ACS is currently connected to:
    admin# acs troubleshoot adinfo -a
    This command will also give you the output of the "Preferred Site." You can use this field in your AD environment to control which DCs ACS is using. For more info check this link:
    http://blog.priveonlabs.com/sec_blog.php?title=acs-v5-should-be-able-to-query-only-desired-domain-controllers-active-directory-dns-workaround&more=1&c=1&tb=1&pb=1
    That link also contains a reference to an ACS defect (CSCte92062) that provides some ACS related confgs that you can use to restrict which DCs ACS is using. 
    I hope this helps!
    Thank you for rating helpful posts!

  • ACS command Authorization on PIX Console

    I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
    aaa-server TACACS+ (inside) host 172.28.x. xx
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication serial console LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authorization command TACACS+
    aaa accounting command privilege 15 TACACS+
    aaa accounting enable console TACACS+
    but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
    ACS down, i wana to get console and access the device by using local username and password
    but now after this configuration when i try to access the firewall via console, i m getting error of
    command authorization fail.
    I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
    I have made the command authorization set in ACS and it is working fine for me,

    kindly once again check my modified configuration,
    I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
    aa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (edn) host 172.28.31.132
    aaa-server TACACS+ (edn) host 172.28.31.133
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication serial console LOCAL
    aaa authentication http console LOCAL
    aaa authorization command TACACS+ LOCAL
    aaa accounting command privilege 15 TACACS+
    aaa accounting enable console TACACS+
    but i m not able to login i m getting following eror
    Command authorization failed
    TDC-INT-525-01> exit
    Command authorization failed
    TDC-INT-525-01> exit
    Command authorization failed
    TDC-INT-525-01> enable
    Command authorization failed
    i also defined the local command authorization set like this
    privilege cmd level 15 mode exec command exit
    privilege show level 5 mode exec command running-config
    privilege show level 15 mode exec command version
    privilege show level 0 mode exec command access-list
    privilege show level 0 mode configure command access-list
    privilege cmd level 15 mode configure command exit
    privilege cmd level 15 mode configure command no
    privilege cmd level 0 mode configure command access-list
    privilege cmd level 15 mode interface command exit
    privilege cmd level 15 mode subinterface command exit
    privilege cmd level 15 mode dynupd-method command exit
    privilege cmd level 15 mode trange command exit
    privilege cmd level 15 mode route-map command exit
    privilege cmd level 15 mode router command exit
    privilege cmd level 15 mode ldap command exit
    privilege cmd level 15 mode aaa-server-host command exit
    privilege cmd level 15 mode aaa-server-group command exit
    privilege cmd level 15 mode context command exit
    privilege cmd level 15 mode group-policy command exit
    privilege cmd level 15 mode username command exit
    privilege cmd level 15 mode tunnel-group-general command exit
    privilege cmd level 15 mode tunnel-group-ipsec command exit
    privilege cmd level 15 mode tunnel-group-ppp command exit
    privilege cmd level 15 mode mpf-class-map command exit
    privilege cmd level 15 mode mpf-policy-map command exit
    privilege cmd level 15 mode mpf-policy-map-class command exit
    privilege cmd level 15 mode mpf-policy-map-class command exit
    privilege cmd level 15 mode mpf-policy-map-param command exit
    Please tell me how to solve this problem

  • ACS v.5 cannot be added as secondary via WAN

    Hi,
    i have planned a deployment with one acs in Europe working as primary, one acs in europe as secondary and one acs in USA as secondary also.
    I can add one acs in europe to the deployment as secondary.
    When I try to add the acs in USA to the deployment - Nothing really works.
    The status shown in the primary is offline (red) and status pending. It stays like this for hours.
    When I log in to the gui directly on the acs in USA, it still has status primary.
    The two acs are transparently connected. There is WAN optimization (cisco waas) in between the two datacentres...
    any hints  or ideas are aprreciated.
    thanks

    Larsen,
    Make sure we have these ports open. The ports in question for replication in ACS 5 use tcp:RMI (remote method invocation): ports 2020
    and 2030.
    Message Bus: 61616 for replication Sybase db (full) replication - while registering or applying full replication uses TCP: 2638.
    Regards,
    ~JG
    Do rate helpful posts!

  • Problem in putting the classpath

    HI!
    I have a serious problem!
    I'm trying to create a connection using the antinav jdbc driver type 3 for WindowsXP and Access 2000.
    I also have installed JDK1.4.2 version and I use JCreatorLE environment.
    I followed the instructions of README.text but nothing works!
    I'll tell you what I did and please reply to me for a solution!
    First of all I run the Setup.exe contained in package AccessOnNT.zip
    After that I run the InstallAtinavService program from the StartMenu and I started the Service.
    I copied JdbcClasses.jar to a directory c:\AtinavDriver\classes\ and after that I went to ControlPanel-->System-->Environment and put as Variable=CLASSPATH and as a value=c:\AtinavDriver\classes\JdbcClasses.jar
    I also put the classpath to JCreatorLE. I went to Configure-->Options-->JDK Profiles and I added the package c:\AtinavDriver\classes\JdbcClasses.jar
    The code I wrote is the following:
    import java.sql.*;
    import java.util.*;
    public class test{
    public static void main(String[] arguments){
    try{
    Class.forName("acs.jdbc.Driver");
    } catch(Exception eDriver) {
    System.out.println("driver " +eDriver);
    String url="jdbc:atinav:localhost:7227:c:\\databases\\my movies.mdb";
    String username="Admin";
    String password=" ";
    try {
    Connection conn=DriverManager.getConnection(url,username,password);
    Statement st=conn.createStatement();
    ResultSet rec=st.executeQuery("SELECT title,category"+"FROM my movies.mdb Contacts"+
    "WHERE"+"ORDER BY title");
    while (rec.next()) {
    System.out.println(rec.getString("title")+"\n"+rec.getString("category"));
    st.close();
    }catch (Exception eConnection) {
    System.out.println("Connection " + eConnection);
    When I execute I get this message :
    driver java.lang.ClassNotFoundException: acs.jdbc.Driver
    Connection java.sql.SQLException: No suitable driver
    Press any key to continue...
    Please tell me what I did wrong as soon as posible!
    Thank you!

    Looks like your JCreator CLASSPATH is okay. If it wasn't, you would have gotten a ClassNotFoundException for the JDBC driver. Looks like you got past that.
    Your exception says "Connection java.sql.SQLException: No suitable driver". That usually means that your database connection URL is incorrect.
    String url="jdbc:atinav:localhost:7227:c:\\databases\\my movies.mdb";This does not look correct at all.
    I'm unfamilar with this Antinav type III driver you're using. Why isn't the JDBC-ODBC bridge driver sufficient? Did you have to pay for this? What made you think it was necessary?
    If you use the bridge driver, you can connect using this code:
    import java.sql.*;
    import java.util.*;
    public class AccessConnection
        public static void main(String [] args)
            try
                AccessConnection ac = new AccessConnection();
                if (args.length > 0)
                    ac.findMoviedByCategory(args[0]);
                else
                    System.out.println("Usage: java AccessConnection <category>");
            catch (Exception e)
                e.printStackTrace();
        public void findAllMoviesByCategory(final String category) throws SQLException, ClassNotFoundException
            Connection conn = null;
            PreparedStatement st = null;
            ResultSet rs = null;
            try
                Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
                String url      = "jdbc:odbc:DRIVER={Microsoft Access Driver (*.mdb)};DBQ=c:\\databases\\my movies.mdb";
                String username = "admin";
                String password =   "";
                conn        = DriverManager.getConnection(url,username,password);
                String sql  = "SELECT title,category FROM movies WHERE category = ? ORDER BY title";
                st          = conn.prepareStatement(sql);
                st.setString(1, category);
                rs = st.executeQuery();
                while (rs.next())
                    System.out.println(rs.getString("title") + " " + rs.getString("category"));
            finally
                try { if (rs != null) rs.close(); } catch (SQLException ignore) {}
                try { if (st != null) st.close(); } catch (SQLException ignore) {}
                try { if (conn != null) conn.close(); } catch (SQLException ignore) {}
    }There were other problems (e.g., your SQL query wasn't correct - no WHERE value.)

  • H323 cisco attributes not being forwarded to Radius accounting server

    I have enabled a Radius server to gather AAA Accounting CDR records but I don't see any of the Cisco h323 attributes. The following is an example of the list I WANT to see.
    ATTRIBUTE h323-remote-address 23 string Cisco
    ATTRIBUTE h323-conf-id 24 string Cisco
    ATTRIBUTE h323-setup-time 25 string Cisco
    ATTRIBUTE h323-call-origin 26 string Cisco
    ATTRIBUTE h323-call-type 27 string Cisco
    ATTRIBUTE h323-connect-time 28 string Cisco
    ATTRIBUTE h323-disconnect-time 29 string Cisco
    ATTRIBUTE h323-disconnect-cause 30 string Cisco
    ATTRIBUTE h323-voice-quality 31 string Cisco
    ATTRIBUTE h323-gw-id 33 string Cisco
    ATTRIBUTE h323-incoming-conf-id 35 string Cisco
    I see a lot of stuff comming in, but I don't see any of the attributes above.
    PS. when I do a DEBUG AAA ACCOUNTING here's what I see.
    *Oct 8 18:00:19.681: AAA/ACCT/CONN(00001863): STOP protocol reply FAIL
    *Oct 8 18:00:19.681: AAA/ACCT(00001863): Accouting method=NOT_SET
    Here's my config
    aaa new-model
    aaa group server radius ACS
    server X.X.X.X auth-port 1645 acct-port 1646
    aaa authentication login h323 group ACS
    aaa authentication login no_rad local
    aaa accounting update newinfo
    aaa accounting exec default start-stop group ACS
    aaa accounting connection default start-stop group ACS
    aaa accounting connection h323 start-stop group ACS
    aaa session-id common
    gw-accounting aaa
    attribute acct-session-id overloaded
    attribute h323-remote-id resolved
    acct-template callhistory-detail
    radius-server host X.X.X.X auth-port 1645 acct-port 1646
    radius-server timeout 60
    radius-server key XXXXX
    radius-server authorization permit missing Service-Type
    radius-server vsa send accounting
    radius-server vsa send authentication
    dial-peer voice 447 voip
    destination-pattern 1647280....
    voice-class aaa 1
    session target ipv4:X.X.X.X
    Any ideas?
    thanks,
    Paul

    Try the following command:
    gw-accounting h323 vsa
    See here (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122tcr/122tvr/vrg_g1.htm#wp1505752) for details.

Maybe you are looking for