ACS 5.4 snmp problem - sysoid

I've looked through the posts and haven't found anything on this yet.
We have 2 ACSs, 5.4, running on VMs.The ovas were initially deployed via the 5.3 image, then upgraded. The secondary had a storage problem over the weekend and the vm was not backed up as production, so it was deleted. We had to completely rebuild.
This time, the ova was deployed from the 5.4 iso. Did patch 1, AD integration, etc. and then reestablished it as the secondary. Functionally everything
is fine, replication is good, and everything is working.
Looking in our NMS, I do see an issue with the sysoid. Below is the a snippet from the primary:
.1.3.6.1.2.1.1.1.0 = STRING: Cisco Secure Access Control System 5.4
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.2.1.47.1.1.1.1.13.1
Here is the same from the newly deployed secondary:
.1.3.6.1.2.1.1.1.0 = STRING: Cisco Application Deployment Engine
.1.3.6.1.2.1.1.2.0 = OID: .0.0.0
Has anyone seen this? Once again, everything is functioning fine and this appears to be cosmetic (not affecting normal ops).
Thanks, chris

At this point, my plan is to apply patch 2. When I do this, I will reboot the secondary (the VM itself). What I am not sure of is whether or not this was done. I thought when the initial ADE config was done and the setup script installed the app, the
VM rebooted at that point. But that's what I'm going to try, change ticket is set for the 23rd. If I still see the same thing, then I'll look at playing around with the snmp settings, since it's not an issue of snmp not working, it's just not reporting the mib2 values I would expect.
Thanks, chris

Similar Messages

ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
ACS version: 5.3.0.40.6 (internal build B.839)
I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
Requested Identity Group exist
Testing user is created in Internal Users and has assigned requested Identity Group
Radius Access Policy:
Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
What I am tested:
Remove testing user and create his account again.
Rename Identity Group
Use another Identity Group
Remove Access Policy rule and create it again
Use Compound Condition: System:Identity Group
Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
Do you have any idea where problem can be?

OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

802.1x with ACS 4.2 (RADIUS) problem

HI all!
I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
My running config:
Building configuration...
Current configuration : 1736 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R4
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name lab.local
ip device tracking
dot1x system-auth-control
interface FastEthernet0/0
ip address 10.10.0.253 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1/0
dot1x port-control auto
interface FastEthernet1/1
interface FastEthernet1/2
interface FastEthernet1/3
interface FastEthernet1/4
interface FastEthernet1/5
interface Vlan1
ip address 192.168.1.1 255.255.255.0
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip forward-protocol nd
no ip http server
no ip http secure-server
mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
My Radius debug information:
*Mar 1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.491: RADIUS: ustruct sharecount=2
*Mar 1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
*Mar 1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
*Mar 1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
*Mar 1 00:21:31.511: RADIUS: authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
*Mar 1 00:21:31.511: RADIUS: NAS-IP-Address      [4]   6   10.10.0.253
*Mar 1 00:21:31.511: RADIUS: NAS-Port            [5]   6   0
*Mar 1 00:21:31.511: RADIUS: Vendor, Cisco       [26] 23
*Mar 1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17 "FastEthernet1/0"
*Mar 1 00:21:31.515: RADIUS: NAS-Port-Type       [61] 6   X75                       [9]
*Mar 1 00:21:31.515: RADIUS: User-Name           [1]   6   "user"
*Mar 1 00:21:31.515: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.515: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 1 00:21:31.515: RADIUS: Framed-MTU          [12] 6   1500
*Mar 1 00:21:31.515: RADIUS: EAP-Message         [79] 11
*Mar 1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]
*Mar 1 00:21:31.515: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12 [???L?m??N??=S?A?]
*Mar 1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
*Mar 1 00:21:31.555: RADIUS: authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
*Mar 1 00:21:31.555: RADIUS: EAP-Message         [79] 28
*Mar 1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC [??????????&?R?C?]
*Mar 1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]
*Mar 1 00:21:31.555: RADIUS: State               [24] 27
*Mar 1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
*Mar 1 00:21:31.559: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E ["???D????,?B????]
*Mar 1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
*Mar 1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.587: RADIUS: ustruct sharecount=1
*Mar 1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
*Mar 1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
*Mar 1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
*Mar 1 00:21:31.591: RADIUS: authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
*Mar 1 00:21:31.595: RADIUS: NAS-IP-Address      [4]   6   10.10.0.253
*Mar 1 00:21:31.595: RADIUS: NAS-Port            [5]   6   0
*Mar 1 00:21:31.595: RADIUS: Vendor, Cisco       [26] 23
*Mar 1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17 "FastEthernet1/0"
*Mar 1 00:21:31.595: RADIUS: NAS-Port-Type       [61] 6   X75                       [9]
*Mar 1 00:21:31.595: RADIUS: User-Name           [1]   6   "user"
*Mar 1 00:21:31.595: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.595: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 1 00:21:31.595: RADIUS: Framed-MTU          [12] 6   1500
*Mar 1 00:21:31.595: RADIUS: State               [24] 27
*Mar 1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
*Mar 1 00:21:31.595: RADIUS: EAP-Message         [79] 28
*Mar 1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC [?????????9?)????]
*Mar 1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]
*Mar 1 00:21:31.595: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13 [3W??\$??g?????t?]
*Mar 1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
*Mar 1 00:21:31.731: RADIUS: authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
*Mar 1 00:21:31.735: RADIUS: Framed-IP-Address   [8]   6   255.255.255.255
*Mar 1 00:21:31.735: RADIUS: EAP-Message         [79] 6
*Mar 1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]
*Mar 1 00:21:31.735: RADIUS: Tunnel-Type         [64] 6   01:VLAN                   [13]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Medium-Type [65] 6   01:ALL_802                [6]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Private-Group[81] 6   01:"100"
*Mar 1 00:21:31.739: RADIUS: Class               [25] 22
*Mar 1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30 [CACS:0/5b1/a0a00]
*Mar 1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]
*Mar 1 00:21:31.739: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26 [u?????l?M\?P???&]
*Mar 1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
As a result the vlan-switch data based does not change.
Any help will be appreciated!
Thanks a lot,
Chelovekov Alexander

I've tried multiple ways to cope with this problem but nothing was helpfull...
Tunnel-Medium-Type [65] 6   01:ALL_802
I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
Screenshot n attachment.
The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair) - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
What am i missing?

(Qeustion) WLS5.1 SNMP problem? Please help...

Hello, all
I am attaching the weblogic.properties, startWebLogic.cmd and
startSNMPAgent.cmd
I started the weblogic server 5.1 on port 7001.
Then started the SNMP agent using the command
"%JAVA% weblogic.SNMPAgent -password system -snmpPort 161 -serverURLs
t3://210.182.160.120:7001 -community public -debugLevel 3 -trapDestinations
210.182.160.111:162".
210.182.160.120 : WebLogic Server 5.1
210.182.160.111 : Trinity(NMS)
Then I tried to access the "serverState" variable using the command
"java snmpget localhost .1.3.6.1.4.1.140.600.40.1.20"
"java snmpwalk localhost .1.3.6.1.4.1.140.600.20"
But i am getting the following error.
Response PDU received from localhost/127.0.0.1, community: public
Error in response. There is no such variable name in this MIB.
Index: 1
Errored Object ID: .1.3.6.1.4.1.140.600.40.1.10
I am attaching picture. refer to that(above process result).
How can I solve this problem?
Thanks in advance...
Have the pretty day. ^^;
[4.SNMPAgentWhenSNMPGet.JPG]
[3.snmp_command.JPG]
[2.startSNMPAgent.JPG]
[1.startWeblogic.JPG]
[weblogic.properties]
[startWebLogic.cmd]
[startSNMPAgent.cmd]

(i posted this response earlier, however i don't know where it got lost ....
anyway)
pls see comments, inline ....
Beom Lee <[email protected]> wrote in message
news:[email protected]...
Thanks for your anser.
I tried to snmpwalk...
But I failed...
I tried another system that snmp don't be installed.
So, Success...
But I have some promblem..
I executed snmpwalk .1.3.6.1.4.1.140.600...
But I got the mib variable from .1.3.6.1.4.1.140.600.20 to
.1.3.6.1.4.1.140.600.50
I can't get the .1.3.6.1.4.1.140.600.10.xxx...This is because, for some reason your cluster is not up/active. Bcos if you
look at the first line of the output you have attached from snmpwalk, it
shows that the value of 'serverEntry.clusterName' == 'standalone' for
'myserver'. i.e. that server is not a part of a cluster.
I would double check the cluster setup. Do you get messages in your
weblogic.log from the respective servers indicating that they have joined
the cluster ?
Because I don't get the .1.3.6..1.4.1.140.600.10.xxx, I can't know the
clusterEntry index
and I can't know the list of servers in cluster.
I attached the snmpwalk result.
And I attached the weblogic properties file of snmpwalk target system.
Thanks in advance.
"Sanjeev Chopra" <[email protected]> wrote in message
news:[email protected]...
comments inline...
Beom Lee <[email protected]> wrote in message
news:[email protected]...
Hello, all
I am attaching the weblogic.properties, startWebLogic.cmd and
startSNMPAgent.cmd
I started the weblogic server 5.1 on port 7001.
Then started the SNMP agent using the command
"%JAVA% weblogic.SNMPAgent -password system -snmpPort 161 -serverURLs
t3://210.182.160.120:7001 -community public -debugLevel3 -trapDestinations
210.182.160.111:162".
210.182.160.120 : WebLogic Server 5.1
210.182.160.111 : Trinity(NMS)
Then I tried to access the "serverState" variable using the command
"java snmpget localhost .1.3.6.1.4.1.140.600.40.1.20"
"java snmpwalk localhost .1.3.6.1.4.1.140.600.20"
But i am getting the following error.to get server state for all servers.. use the following command
java snmpwalk localhost .1.3.6.1.4.1.140.600.20.1.20also the output you have attached is from the first command (snmpget).
can
you try the command above and see what output you get on the agent side?
>>>
Response PDU received from localhost/127.0.0.1, community: public
Error in response. There is no such variable name in this MIB.
Index: 1
Errored Object ID: .1.3.6.1.4.1.140.600.40.1.10This error is an expected response to your snmpget command above.'snmpget'
needs an "instance OID" i.e. OID of an element + value of the index
which
identifies that instance of that element. Try the snmpwalk commandabove -
it should return you the "instance OID" which you can use with snmpget,if
you like
good luck !
I am attaching picture. refer to that(above process result).
How can I solve this problem?
Thanks in advance...
Have the pretty day. ^^;

Spine and SNMP problems

Hi everyone,
I have followed the tutorial to installing cacti here http://wiki.archlinux.org/index.php/Cacti
But when i try to add an interface stats graph, i get:
+ Running data query [1].
+ Found type = '3' [snmp query].
+ Found data query XML file at '/srv/http/cacti/resource/snmp_queries/interface.xml'
+ XML file parsed ok.
+ Executing SNMP walk for list of indexes @ '.1.3.6.1.2.1.2.2.1.1'
+ No SNMP data returned
+ Found data query XML file at '/srv/http/cacti/resource/snmp_queries/interface.xml'
When the query is run in debug mode.
Thinking that the tutorial above lacked some config, i blindly started playing around (as you do) and ended up with 'rwuser cacti' in my snmpd.conf.. Im really lost as to how snmp is configured and cant find any understandable tutorials for it.
My cacti.log shows this error, suggesting that snmp is not set up to handle cacti's requests:
SPINE: Poller[0] WARNING: Host[3] DataQuery[1] Reindex Check FAILED: No SNMP Session. If not an SNMP host, don't use Uptime Goes Backwards!
SPINE: Poller[0] WARNING: Host[3] DataQuery[6] Reindex Check FAILED: No SNMP Session. If not an SNMP host, don't use Uptime Goes Backwards!
SYSTEM STATS: Time:1.2157 Method:spine Processes:1 Threads:1 Hosts:2 HostsPerProcess:2 DataSources:10 RRDsProcessed:10
Please help!!

Weirdly, it started working with absolutely no input from me..
So i added a network traffic graph, and i was getting some blank graphs. But this seemed to be a problem with cron, so i have restarted the service and everything LOOKS to be working. We'll see if i get any useful info.
How the hell did it start working?

Net snmp problem

Dear Members!
I have installed netsnmp-5.41 from sunfreeware.com. But i got problem on snmpwalk.
Here is the error message from /var/log/snmpd.log
netsnmp_assert !"registration != duplicate" failed agent_registry.c:535 netsnmp_subtree_load()
netsnmp_assert !"registration != duplicate" failed agent_registry.c:535 netsnmp_subtree_load()
netsnmp_assert !"registration != duplicate" failed agent_registry.c:535 netsnmp_subtree_load()
NET-SNMP version 5.4.1
/dev/openprom: Invalid argument
unable to lookup boot-command from eeprom
Please advise me what should i do?
Regards,
Umar Draz

I have the same problem...
snmpwalk gives me:
Error in packet.
Reason: (genError) A general failure occured
Failed object: .iso.org.dod.internet.private.enterprises.sun.products.sunSeaProxyMIB.sunSubTreeDispatchTable.sunSubTreeDispatchEntry.sunSubTreeDispatchIndex.1.1
And snmpd.log:
cannot read from /dev/openprom
unable to lookup boot-command from eeprom
js.

Cisco Secure ACS "reports and activities" problem

Hi, I am running ACS 3.3(3) Build 11.
When I select the "next page" from any of the reports, I get a "page cannot be displayed" error. (1st page is fine).
Any ideas what this can be caused by?
Cheers, Steve.

Not sure about this problem.. .but the ACS interface for searching reports is dire.
Why not try aaa-reports! There's a free 60 day trial. We have tools to remotely pull down all CSVs from any number of ACSs and import & report on most of the ACS logs.
Apols for the shameless plug.. but this can save you a lot of time and effort.
www.extraxi.com

ACS Engine Hanging / Replication Problems

I have two ACS 1112 Appliances running the latest software (Release 4.0(1) Build 42). Each appliance seems to run fine on its own. However, after setting up and successfully performing replication, the second ACS will not fully reboot. It says CSAuth did not start. 'show' usually shows the cpu at 100% with the services in various states of stopped, stopping, or starting. The web interface is unavailable. Another thing I have noticed that I think may have something to do with it is the status of the remote agents in the network device table. After replication, (and before rebooting) I can click on one successfully on the original machine, but when I attempt to click on one on the second appliance, I get a 404 browser error, and my ACS session is closed. I have to log back in to do anything else. Right now, I am rebuilding the second appliance from the cd (for the 15th time) to attempt replication with no remote agents defined to make narrow down the problem. Also note that if I manually add a remote agent on the second appliance, I am able to get to its properties with not problems. I am only not able to get to replicated entries' properties. Thanks in advance for any help.

Well, forget about the remote agents. The primary appliance has a very basic config. The only things in the network device table are itself and the other ACS. They each have the correct settings and the same key. The backup ACS has no configuration settings, except the ACS settings in the network device table and the appropriate replication settings. After a successful replication from primary to backup, and a reboot of the backup--it will not start back up. The CPU is at 100% and the services look like this:
CSAdmin stopped
CSAuth starting
CSDbSync starting
CSLog stopping
CSMon starting
CSRadius starting
CSTacacs starting
CSAgent running
thanks.

ACS Appliance Remote Agent Problem

Hi there
we have te following situation:
- 2 x ACS SE's
- 2 x ACS Remote Agents on Member Servers
- 2 x ASA's
We would like to authenticate the VPN users connecting to the ASA's via the ACS and the active directory.
I configured the remote agent following this link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/remote_agent/rawi.html#wp289426
But we are not able to fetch the active directory groups in the acs gui --> External User Database > Database Group Mappings > Active Directory > New Configuration.
On the Domain Controller we get the errors ID 1030 and 1058, had someone these problemes too?
Thanks in advance and regards
Dominic

Hi JG
We have MS Windows Server 2003 with SP2. At the begining, the service was running as a local admin, then we had access to the AD, but we had some strange issues: after a short time (~1 Day) of zero authentication requests, the first request used about 2 minutes to get back to the ACS.
We debugged the way from the ACS to the remote agent, it must have been on the server it self.
Regards
Dominic

SNMP problem

I have 5 Mac Pros located in a datacenter. I have enabled SNMP on all 5 so I can monitor them remotely. All 5 of them are randomly crashing with the following:
Tue Nov 11 13:08:58 2008
panic(cpu 2 caller 0x001431A9): "zalloc: \"socket\" (590 elements) retry fail 3"@/SourceCache/xnu/xnu-1228.7.58/osfmk/kern/zalloc.c:770
Backtrace (CPU 2), Frame : Return Address (4 potential args on stack)
0x2dfdfe08 : 0x12b0fa (0x459234 0x2dfdfe3c 0x133243 0x0)
0x2dfdfe58 : 0x1431a9 (0x45ae80 0x48d7f4 0x24e 0x3)
0x2dfdfeb8 : 0x1434f5 (0x140f304 0x1 0x37d7550 0x2)
0x2dfdfed8 : 0x3a3c5d (0x140f304 0x3 0x0 0x7)
0x2dfdfef8 : 0x3a5d61 (0x1 0x2 0x2 0x365cc9)
0x2dfdff38 : 0x3aaa11 (0x2 0x2dfdff5c 0x2 0x0)
0x2dfdff78 : 0x3ddd6e (0x3aa19a0 0x3890820 0x3890864 0x0)
0x2dfdffc8 : 0x19f3b3 (0x3c5bde0 0x0 0x1a20b5 0x3c5bde0)
No mapping exists for frame pointer
Backtrace terminated-invalid frame pointer 0xbfffecf8
BSD process name corresponding to current thread: snmpd
Mac OS version:
9F33
Kernel version:
Darwin Kernel Version 9.5.0: Wed Sep 3 11:29:43 PDT 2008; root:xnu-1228.7.58~1/RELEASE_I386
System model name: MacPro3,1 (Mac-F42C88C8)
Any clues why SNMP would cause the Macs to crash?

I have found a workaround for the snmpd related KP's:
The problem with snmpd is that its leaking memory and exhausting the mach kernel. Until Apple has a fix (maybe 10.5.7?) the best solution is to create a launchd item to "killall snmpd" once a day:
/Libary/LaunchDaemons/edu.(yournamehere).killall.snmpd
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>edu.(yournamehere).killall.snmpd</string>
<key>ProgramArguments</key>
<array>
<string>killall</string>
<string>snmpd</string>
</array>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>3</integer>
<key>Minute</key>
<integer>7</integer>
</dict>
</dict>
</plist>
So far (one week), no more panic's!

Net-snmp problem UNKNOWN host

There is a bug in the net-snmp 5.4 package, the host variable used by snmptrapd to resolve IPs return a UNKNOWN name when can't resolve.
See the following (closed) bug report for details:
[ 1638225 ] 5.4 traphandle: unresolved IP translated to <UNKNOWN>
http://sf.net/support/tracker.php?aid=1638225
I don't known if you people can fix this in the next build!!!!!
thanks
Carlos
Last edited by CarLost (2007-06-20 02:28:47)

I have the same problem...
snmpwalk gives me:
Error in packet.
Reason: (genError) A general failure occured
Failed object: .iso.org.dod.internet.private.enterprises.sun.products.sunSeaProxyMIB.sunSubTreeDispatchTable.sunSubTreeDispatchEntry.sunSubTreeDispatchIndex.1.1
And snmpd.log:
cannot read from /dev/openprom
unable to lookup boot-command from eeprom
js.

SNMP problem in Local Director 416 V4.2.3

I am unable to get SNMP response from local director :
herafter the snmp configuration .
snmp-server host 62.184.xx.yy
snmp-server enable traps
snmp-server community xxxxxxxxx
snmp-server contact Philippe
snmp-server location B2
What else should be in configuration to have the local director respond to
SNMP request from snmp-server host 62.184.xx.yy ?
Thanks for your help.

This is not expected behavior with the LD.
I did see one bug (CSCdw87752) regarding the LD duplicating multicast packets in 4.2.3. The scenario was slightly different. In the bug, the LD was duplicating multicast packets from a Checkpoint Firewall. That bug is fixed in version 4.2.4. I think it is likely that this fix will also fix your issue.
Let me know if that works or not...
-Steve

Acs se aaa server problem

HI
I have installed acs se for peap authenetication in a wireless network .
however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
Pls help me to get this fixed

Hi.
The name of the ACS SE listed in AAA Server section is "self".
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
"In ACS SE, the name of the machine is listed as self."
"deliverance1" is the default ACS SE name(hostname).
Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
In order to correct this issue, follow following steps:
[1] On ACS hardware/appliance go to,
Reports and Activity > Appliance Status Page >
From "NIC Configuration", copy the IP address of the ACS SE.
Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
Note down the "Name" against the Ip address of the ACS SE.
Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
[2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
Establish Serial Console connection to ACS SE,
Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
[3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
Now, the correct IP address will be associated with the correct hostname.
Regards.
Prem

ACS 4.2 NDG problem

Hi I have ACS appliance 4.2.0.124 installed at 2 sites. In one of the Appliance, under (Not Assigned) NDG the AAA server was reflecting as Self with IP address 127.0.0.1 & with the other one under AAA servers exact ip address of the appliance was reflecting with server name AAA. I had added the 1st server in 2nd server's unassigned NDC and 2nd server in 1st's unassigned NDC.
After that I configured the 1st server for outbound replication and 2nd for inbound replication with "Network Configuration Device tables" selected. After manual replication I found in 2nd appliances under unassigned NDG, server entry with name self and IP address 127.0.0.1 , along with teh second entry self and its own IP address are there. Now I am neither able to add the 1st server's entry to NDG grop(Error: host already exist) or DElete/edit the self with 127.0.0.1 ip adress. Can anybody help me to delete this entry from the database pls?
I dont have any backup previously and the ACS is live.

Hi all, I am using ACS SE 4.2 . Can i edit the IP address for record "Self" under AAA servers table under not assigned NDG, as the Ip address of self is showing 127.0.0.1???
Also can reinitialize the data base because one of the server's entry is not appearing under Not assigned NDG but during if i am trying to add the server error" Host already exists" comming.
Pls help me as i am stack at this point.

ACS 5.4 snmp problem - sysoid

Similar Messages

Maybe you are looking for