ACS Appliance Upgrade

Similar Messages

• ACS Appliance Upgrade path

  I am seeing patches and CSUpdate files with the same release date. My current version is Acs-4.2.0.124.9-CSUpdate fix Base image 4.2.0.107, Appliance Management Software 4.2.0.124,
  Question is which patch do I apply, the Cumulative, the CSUpdate, or both. Do I need to apply them one after the other, or is the .12 patch a rollup that includes the fixes in the previous versions, 10 and 11.
  One other thing, other than physically going to the colo and reading it off the server itself, where can I find the serial number of the unit.

  Appliance serial number cannot be viewed via GUI or serial.
  For upgrading ACS always apply most recent patch available and it covers all fix till date.
  First apply csupdate and then apply patch.
  Please post ACS related under head AAA.
  Regards,
  ~JG
  Do rate helpful posts

• ACS upgrade from 4.0.x to 4.1.x "Appliance upgrade in progress"

  Hello friends,
  We are in the process of upgrading ACS 4.0 to 4.1 in a SE appliance 1113.
  We followed very carefuly the steps, and upgraded de Appliance management ACS 4.1. The second upgrade (Software for appliance 4.1) keeps showing "Appliance upgrade in progress..." (near 2 hours by now). I know that it can stick even finishing, but it seems it has not finished because we can not log in with the GUI Administrator account like we did when upgrading the management software (previous step).
  Is this normal? what can be missing?, I attach the console text output below (IP adds obscured).
  Note the management upgrade went fine.
  Thanks.
  Cisco Secure ACS: 4.1.1.23
  ACS 4.0.1.49-CSAdmin-CSCsd96293_CSCse26719 Fix: (Patch: 4.0.1.49 Tue 01/09/2007
  7:50:00.17)
  Appliance Management Software: 4.1.1.23
  Appliance Base Image: 4.0.1.2
  CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
  Appliance upgrade in progress...
  Session Timeout: 10
  Last Reboot Time: Fri Jun 06 11:46:40 2008
  Current Date & Time: 6/6/2008 13:17:40
  Time Zone: (GMT-05:00) Bogota, Lima, Quito
  NTP Server(s): 131.107.1.10
  CPU Load Free Disk Free Physical Memory
  0.00% 16.9 GB 765 MB
  Appliance IP Configuration
  DHCP Enabled. . . . . . . . . . .: No
  IP Address. . . . . . . . . . . .: 172.16.x.y
  Subnet Mask . . . . . . . . . . .: 255.255.255.0
  Default Gateway . . . . . . . . .: 172.6.x2.y2
  DNS Servers . . . . . . . . . . .: 172.16.x3.y3
  CSAdmin running
  CSAuth running
  CSDbSync running
  CSLog running
  CSMon running
  CSRadius running
  CSTacacs running
  CSAgent stopped
  Appliance upgrade in progress...

  Thanks Jagdeep, but the upgrade has not finished.
  The documentation mentions (please read it carefully):
  "IF YOU COMPLETE THE UPGRADE and the ACS console displays the message Appliance upgrade in progress, this indicates that the upgrade PROGRESS is hanging.
  If this condition occurs, start an ACS console session and enter the command download [hostAddress], where hostAddress can be any IP address. This action releases the ACS console from the upgrade process."
  What worries me is that it has not finished.
  As I said in my post, we can not log in :( (the GUI gets blocked during the upgrade).
  I appreciate the help. Many Thanks.

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian

• Cisco acs 1120 upgrade to 4.2.1.15 help

  Hi All,
              I have cisco 1120 appliance downgrade from acs 5.0 to acs 4.2.0.124 , I need to upgrade to acs 4.2.1.15 . Does cisco 1120 acs appliance supports 4.2.1.15 , How can i upgrade to 4.2.1.15 from 4.2.0.124 .
              It requires any distribution server for upgrade process . Please suggest on this , Thank you

  Yes, you can upgrade it to 4.2.1.15 and you can download the version from the below listed link;
  http://tools.cisco.com/squish/d4e4A
  Here are the files you need to download:
  ACSse-Upgrade-Pkg-acs-v4.2.1.15-K9.zip
  ACSse-Upgrade-Pkg-appl-mng-v4.2.1.15-K9.zip
  NOTE: Please apply the management upgrade first and then software upgrade. ..
  Distribution server is a machine from where you can upload the patch onto the Cisco Secure ACS Appliance so If you will download the version on your laptop and upload it from there then that would be distribution server (Nothing special)
  Upgrade an appliance to 4.2.1.15
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1148376
  Hope this helps.
  Rgds,  Jatin
  Do rate helpful posts~

• Apply patch to acs Appliance

  I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
  Some were I read that is necessary a tomcat server?
  Please help
  adi

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit

• ACS Windows vs ACS Appliance

  I have ACS 3.3 running on Win2k and am looking to upgrade. Would it be a better idea to get the ACS appliance instead? What are the pros/cons?

  Hi
  Personally I wouldnt choose an appliance over software. Cost aside they are harder to integrate (esp if you use AD), harder to diagnose and patch.
  From experience I know ACS sometimes needs a little TLC to keep it working. ACS v3/v4 was not designed as appliance software. This has been retro-fitted with all the issues that go with it.
  ACS v5 is supposed to be appliance from day 1 so maybe that'll be ok!
  This is my own personal view, Im sure there are a lot of happy appliance owners out there.
  Main differences
  1) Appliance cant talk direct to AD. You need to install an agent somewhere (possibly requiring a dedicated windows server.. ouch what happened to lower TCO!)
  2) No native ODBC, RSA (done via RADIUS instead)
  3) Logging. CSVs hard coded to rollover at 10MB. Requires log agent or extraxi csvsync to collect logs.
  If you like to be "hands on" stick with s/w

• Trunked connections to ACS appliance

  We are replacing our Cisco ACS 4x server with a new ACS appliance. It is a Cisco UCS C220.
  We went with the hardened Linux option for the underlying OS.
  Our old server had multiple network adapters on different subnets so that it could authenticate devices on different VRFs (rings basically).
  I see the new appliance has only 2 network adapters in it. Is it possible to configure these as a 802.1q trunk in order to have the device service requests on 4-5 subnets? I haven't seen documentation on how to do this.

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit

• ACS 1112 upgrade

  Hi everyone,
  I want to upgrade my ACS appliance 1112 running software version 3.3 to 5.x?
  How can i go about this or should i go and purchase new ACS appliance(1120)?
  br
  sam

  a.kiprawih is right, you need to upgrade your ACS 3.2(1) to ACS 4.0, then take a backup of it and restore it in new ACS 1112 ACS 4.0. The easiest way to accomplish it would be take a backup of ACS SE 1111 3.2(1), open a TAC case send your backup to TAC, get it upgraded to 4.0, they'll send you upgraded backup, restore it in ACS SE 1112 4.0 appliance, you are ready to roll. If you dont want to send your backup to TAC, create a test Win2000 server, install ACS 3.2(1), take a backup oif ACS SE 1111 3.2(1), restore it. Upgrade it to ACS 3.3(3) build 11 on Win2000, take a backup. Then again upgrade it to ACS 4.0 on Win2000, take this backup(Final one).
  Configure your ACS SE 1112 4.0 basic setup, then restore the ACS 4.0 backup from Win2000, and make sure you have all your IP address and other stuff in place, you are good to roll.
  NOTE : While uprading from ACS 3.3(3) build 11 to ACS 4.0 on Win2000 serer, you may hit a bug due to trailing spaces in NAS ip address defined on ACS server. Best way.. Open a TAC case.
  Let me know if this helps :)

• For those having EAP auth issue using the ACS appliance

  Thought I'd pass along my config and resolution to an issue I was having concerning EAP-TLS auth on an ACS appliance.
  We have two ACS Solution Engines (3.2.2) running and doing a database synch and using Generic LDAP as the external database. We did the certificate walk through for the ACS and then turned on EAP-TLS auth. We are trying to use EAP-TLS auth for wireless access through our AP1200s and Windows XP laptops, but we kept getting errors.
  After digging for days I found out that when you request a certificate it pulls the CN name. Our CN name in Active Directory did not match our login name. I changed my CN name to match my login name and I was then able to grab a certificate and authenticate using EAP-TLS for our wireless.
  I am in the process of upgrading our ACSes to ver 3.3.2 so that I can run the Remote Agent for Windows on a Windos 2003 server and then use the Windows database as the external database and not Generic LDAP.
  I hope this helps someone!
  Jeff

  The document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks.
  http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm

• ACS Appliance needs a restart to fix...

  I'm experiencing a prblm where I have a Cisco ACS 112-K9 appliance that seems to hang and the only way to access it again is to reboot it. (I'm not able to get to the web GUI, nor to a telnet prompt)
  It's configured as the failover device to another appliance so I'm not too stressed at the moment.
  On the Appliance Upgrade page the setup is as follows:
  Cisco Secure ACS 3.3.1.16
  Acs EAP-TLS PSIRT fix (Patch: 3.3.1.16 Thu 09/09/2004 9:55:30.72)
  Appliance Management Software 3.3.1.16
  Appliance Base Image 3.3.1.6
  CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
  From the System Configuration page > Diag Log > CSAlog file I get the following: (I'm not even sure this is the right Log file to be looking at? If there's another log file, please let me know and I'll post it.)
  [2006-02-09 08:40:02.812] [PID=520] [Csamanager]: Agent initialization complete.
  [2006-02-09 08:40:09.687] [PID=520] [Csamanager]: Warning: It took 4 seconds to process the last batch (1) of events. Last event: type=EVTM EvSrcComp=13 EvDst=1 EvDstComp=7 EvCode=APCR_ALLOW EvPInt=601 EvPString:30:C:\WINNT\system32\services.exe EvPString
  2:55:D:\Program Files\CiscoSecure ACS v3.3\CSAuth\CSAuth.exe Evtime=45.5 (seconds since boot) Evtype=FILE EvFileOp=OPEN EvFilePrivateOp=IRP_MJ_CREATE EvFileOpFlags=EXECUTE|NOISY|NEW_FILEID EvFileCacheOp=INSERT EvFileAccess=EXECUTE EvFileAccessToken=SYSTEM
  EvFileId=-2058248312 EvFilePath:30:C:\WINNT\system32\NETAPI32.dll EvFileDrive:1:C EvFileDriveType=FIXED EvFileName:12:NETAPI32.dll EvProcessId=620 EvCredentials=¨=
  [2006-02-09 22:59:59.703] [PID=500] [CsaCtrl]: .
  [2006-02-09 22:59:59.703] [PID=500] [CsaCtrl]: Service CSAgent starting...
  [2006-02-09 22:59:59.843] [PID=500] [CsaCtrl]: Started process leventmgr.exe pid=520
  [2006-02-09 23:00:00.312] [PID=520] [Csamanager]: Csamanager starting ...
  [2006-02-09 23:00:00.453] [PID=520] [Csamanager]: Agent version=V4.0-1 build 543, os='Windows 2000', os version=5.0.4.2195
  The actual event when the device fails occured at 22:57 that's when the device needed a reboot.
  I guess I need a starting point for troubleshooting this.. any suggestions would be great.
  The fix is frustrating especially if I have to reboot the device everytime.

  Hi Darran,
  Thanks for the reply.
  I checked for "exceptions, "too busy", "worker thread" and couldn't find anything.
  I check the following logs:
  CSAuthlog.csv *** Nothing indicating the above ***
  CSMonlog.csv *** The logs jump from 02/07/2006 - 02/10/2006) ***
  Keeping in mind this device is redundant with another appliance there would have been no failures indicated with authentication as this paticular device is the "failover" device.
  Any other suggestions? I can alway open a TAC ticket, but I wanted to explore this method of help first.
  Thanks again!
  Reuben

• Adding a Custom VSA to a Group - ACS Appliance

  Hi,
  Using a secure ACS Appliance 4.0
  I want to add a new RADIUS Vendor and its associated VSA to the ACS configuration. This will then be returned during Authorization.
  I have already added the new Vendor and the required VSA through RDBMS. I can now see the new vendor as RADIUS (vendor) in NAP Profile etc
  However I cannot seem to find a way that how would i set the Value of the Added VSA ? And assign it to a particular group ? I cannot seem to find that VSA anywhere.

  Add a AAA client with "Authenticate using" Radius(vendor)
  then go to Interface Configuration and enable VSA for Group/User
  ~Rohit

• ACS appliance External Auth to NT 4.0

  Hi
  I am installing the ACS appliance to do external database authentication to NT 4.0 PDC. It appears with the appliance you have to install a remote agent to make this work. It is my understanding this agent must run on a win2k box. Does the agent have to be installed on the PDC or can it go on any windows server box?
  Is there a work around if you do not have a win2k server. This network is still NT4 with now win2k boxes
  Thanks

  The remote agent was not tested on NT4 and probably wouldn't even install properly. Even if it did work, you would be very limited in the support you'd get if you had strange problems because it is an unsupported configuration.
  It doesn't have to go on a PDC, but things just seem to work better if it is on a DC of some sort. At the very least it needs to be on a member server, but as I said, I'd recommend putting it on a BDC from experience.
  The release notes/install guide for it is here:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/index.htm

• New ACS appliance not showing FQDN hostname in GUI

  I've installed two new ACS appliances in our environment running 5.3.  I've just configured the basics to get it on the network (ie DNS, default GW, IP address).  Looking at both running configs, they are identical with exception to the IP addresses.  On one appliance in the GUI next to the user name in the top right hand corner, the hostname is "acs01".  In the GUI on the other appliance, it shows "acs02.corp.mycompany.com".  This is a minor issue but its bugging me.  Anyone have an idea what is going on?
  In both appliances, this statement is identical in the show run:
  ip domain-name corp.mycompany.com

  Hi,
  So you are using a hardware RAID5 in storage pool as a hard disk. Now you added one more hard disk to the RAID5 with the tool "Dell Server Administrator" but it is not recognized in storage pool.
  I think it will not work as hard disk size cannot be changed after storage pool is created. It is by default.
  However why you use the hardware RAID in a storage pool? A hardware RAID seems enough for your storage requirement.
  If you have any feedback on our support, please send to [email protected]

• RDBMS Synchronization problem in ACS Appliance 3.3

  Hi,
  I was adding multiple AAA Clients on ACS Appliance using RDBMS Synchronization option I followed the complete steps but failed to synchronize accountActions.csv file on ACS my ftp server is working fine and returned the logs saying "accountActions.csv file read recieved file successfully size 0 bytes 0.00 kbps" and RDBMS synchronization logs ACS reported as "No import CSV file on ftp server - nothing to process" I have attached related screen shots. Any help on this issue will be highly appreciated.
  Thanks in advance
  Best Regards,
  Ahmed

  The format of the accountsaction.csv file is incorrect as a result of which the RDBMS Synchronization is not executed correctly.
  I have attached a sample accountsAction.csv file for you.
  (i) The AAA Client C7609-X with the ip address 10.10.10.10 has been added with the shared secret key as mikey and is is registered with TACACS+
  (ii) The NDG michasisX has been added.
  (iii) The device C7609-X has been added to the NDG michasisX
  Place the file in the FTP and try performing an RDBMS synchronization. Restart the ACS services.
  Then you can add the devices as per the sample file attached.
  Also check if the file name is exactly the same in the RDBMS Synchronization page in the ACS
  Hope this helps,
  Soumya