ACS Database Replica

Similar Messages

• ACS Database Replication over VPN with overlapping Network Addresses

  We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
  As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
  Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
  All provided info and comments are greatly appreciated.

  I can help with the 3005 setup if you decide to go that route.
  You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
  You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
  You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
  Use a static Nat type. The rest will look similar to my example.
  Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
  Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

• About Secure ACS Database Replication configure

  hi
       I have INSTALL the acs and the ACS DATABASE HAS replicated complete.
  but when I made some change ,the primary ACS has generate *.csv file.
  this file can replicated to the secondary ACS.
       THANKS

  Can you please clarify your issue? The post is not clear.
  Regards

• Cisco ACS database tuning

  Hi
  I would like to know best ways for tuning Cisco ACS database.  Now the database size has grown up and causing performance problems.  We are running Cisco ACS 4.2 on Windows server 2003 R3. SP2
  What is the best possible way to tune Cisco ACS performance.
  What is the best possible design consideration in deploying 6 ACS servers and in replicating mode? Can i use one database for all the 6 ACS servers. Is this feasible?
  Any docs which talks about all these would be helpful.
  Thanks in advance.
  SK

  Hi there,
  About the database size growing issue, I have seen issue similar in the past and could be related to the Service Control option, make sure it's configured Low. This option is located under System Configuration.
  Regards the replication issue, in the past I have seen even 7 servers in cascade replicating fine, although depending on different factors like distance, devices in between, amount of data, etc. The replication may flow may get affected. I am not sure which will be your requierements but using one server to replicate the information to the other units is a good option, I prefer this one than cascade replication.

• ACS database reporting permissions issue

  Hi,
  I have an issue with my testing of the ACS reporting in two test environments (SCOM 2012 SP1). One has SQL installed on the same server as the MS and the other is a separate SQL install on its own server with multiple MS’s. On both SQL servers
  the ACS database is running on the same server as the other SCOM databases under an instance called SCOM. When we go live the intention is to run on a separate SQL server so not sure if this would still be relevant at that point.
  First off all my normal reports are running fine from the console and from SQL reporting services. My understanding is that the reports are running under different contexts at this point – the web reporting with the account I am logged in
  with and from within SCOM console trying to use the data reader account.
   When trying from the web reporting services or SCOM console I get -
  “An error has occurred during report processing. (rsProcessingAborted)
  Cannot create a connection to data source 'dataSource1'. (rsErrorOpeningConnection)
  A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote
  connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)”
  With regard to the account I am using for the web reporting. It’s a domain admin account. However what I also did was create a global security group called “SCOMACS” and gave this group “db_datareader” permissions within SQL.
  I also gave the data reader service account permissions to see if this fixed the issue from the console.
  Wonder if anyone could help?

  Hi,
  This seems more like a SQL issue, please make sure your database engine is configured to accept remote connections
  • Start > All Programs > SQL Server 2005 > Configuration Tools > SQL Server Surface Area Configuration • Click on Surface Area Configuration for Services and Connections • Select the instance that is having a problem > Database Engine >
  Remote Connections • Enable local and remote connections • Restart instance 
  Please go through the below blog to troubleshoot this issue:
  Named Pipes Provider, error: 40 - Could not open a connection to SQL Server
  http://blogs.msdn.com/b/sql_protocols/archive/2007/03/31/named-pipes-provider-error-40-could-not-open-a-connection-to-sql-server.aspx
  SQL SERVER – FIX : ERROR : (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server) (Microsoft SQL Server, Error: )http://blog.sqlauthority.com/2009/05/21/sql-server-fix-error-provider-named-pipes-provider-error-40-could-not-open-a-connection-to-sql-server-microsoft-sql-server-error/
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Hope this helps.
  Regards,
  Yan Li
  Regards, Yan Li

• ACS database

  Hi,
  I have ACS and is running with windows database integration. But i have some issue the users are created in active directory and then acs ask if the user exists and then it hold the users mappings in his own database (normal operation) but the question is when i delete users from active directory the users still in acs and they can still authenticate i have to block the user in acs or delete manually the mappings is there some procedure that when i delete the user in active directory i do not have to delete the user in acs too?

  Hi,
  It is suggest to change the Default retention period of ACS Database of SCOM. By default database retention period is of 14 days, when installing the ACS Services, we can specify days to keep. If you choose to keep the database for long
  time and the drawback is the hard-disk may start filling up very quickly.
  The retention day option is saved under (ID 6) in the “dbo.dtconfig” table of the ACS Database.
  Query SELECT * FROM dtConfig, we can see the retention period.
  The below links should be helpful for you, please refer to them:
  http://blogs.technet.com/b/kevinholman/archive/2008/03/07/acs-internals-part-1.aspx
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/d25d0192-72cc-4ac3-b61d-5c64dd763efa/manual-grooming-of-acs-database
  Regards,
  Yan Li
  Regards, Yan Li

• MP in DMZ needs SQL database replica or connects to primary server?

  Hi,
  I am installing MP in DMZ for IBCM but not too certain to use database replica or use site database? Our DMZ is in another forest (e.g. Forest A) and our internal SCCM is in Forest B. Also, if I enable "Require the site server to initiate connections
  to this site system" option then what would be advantage of doing it on the site system that is in DMZ?
  Thanks

  Using a replica offloads some of the work from the site DB to the MP. Thus, the MP role itself will be able to query its local copy of the data instead of having to query the site's DB. Of course, this SQL replica must still replicate data from the site's
  DB so you haven't really eliminated communication. Thus, using a SQL replica will eliminate the MP having to query the site DB thus reducing the amount (in terms of attempts, not actual data size) of traffic between the MP and site DB.
  The setting you mention has no effect on the MP role as it pertains to an MP either querying the site DB or SQL replication.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Migrating a Cisco ACS Database

  Hi,
  Can there be any potential problems, if we want to migrate an existing Cisco ACS Database to a different physical Server (Keeping the same IP information etc) ?
  We were running Cisco ACS evaluation version for Cisco NAC (CTA) and now want to make it production while moving it to a different server.
  Regards \\ Naman

  Hi,
  I'm not an expert for the ACS but when you look into System configuration you will find the feature 'Database Replication'. With an eval version you should be able to test this feature.
  Cheers,

• Reset ACS database password

  Hi,
  Just asking if you guys have idea how to reset the ACS database password?
  regards,

  Open the ACS window, Choose Network Configuration --------->select the User -----> edit it ----> change the password

• ACS Database Replication

  I have 2 ACS server
  - ACS Appliance(v4.0)
  - ACS Server fo Window(v3.0)
  I want to design Primary ACS Appliance and Secondary ACS for Window
  I know the method For ACS Database replication
  Thanks
  cheolhyeon

  Hello Hanwu
  Please send a the screenshot of replication page from primary server.
  thanks
  Devashree

• ACS database users and passwords.

  Hi, i need to get all users and passwords from a acs 3.3 database unencrypted.
  How can i do it?
  Could you help me ?

  To get a list of the USers in the ACS database use the CSUTIL tool on Windows platform.
  go to bin directory under the ACS install folder and do
  CSUtil.exe -u
  this will generate a file "users.txt" in the same folder.
  But I dont think you can get the password in unencrypted form.

• ACS Database type (e. g. mysql,sql,postgre)

  Can anyone tell me what is the database of cisco ACS 4.2. And one more thing how can i access the ACS database to view the infos of the DB.

  Sybase is the internal database for ACS View server. The data retrieved from multiple ACS are processed and stored in the ACS View internal database.
  Please check the below link for getting more information:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9302/white_paper_c07-484555.html#wp9000185

• State database replicas

  Hello all,
  sorry if I'm posting this on the wrong group, please let me know if there's a better suited group for this.
  I have a solaris 9 server with 3 disks:
  the 1st one holds the OS in several slices
  the other 2 make up a mirror drive i created using the management console.
  I created 3 database replicas, one on each disk, the master was on c1t0d0s5 (OS Disk, unused slice) and the other 2 on c1t1d0s0 (disk part of mirror) and c1t2d0s0 (disk part of mirror).
  I just created a fs on c1t0d0s5 using newfs and started copying some files there when the system crashed, when it came back up i noticed the database replica there was damaged so i deleted it and created a new one and stopped using this slice altogether!
  My questions:
  - In case of a disk failure on the OS disk, is it possible to replace it, reinstall solaris and then "plug" back the array using the database replicas from the other 2 disks?
  - Shouldn't the kernel itself protect the db replicas so that they don't get damaged when using the slice??
  - Is it possible to create another database replica on the slice holding the / filesystem without damaging it??
  Thanks in advance,
  Billy

  Well ...
  There are storage forums here:
  http://forum.sun.com/index.jspa
  ... and there is a storage forum here:
  http://supportforum.sun.com/hardware/
  You may need to be prepared to describe your hardware and software with some more specifics, such as brand/model/version, etc., and have excepts from logs available, should they be requested.

• SVM state database replica Master flag not set for any replica

  Hi guys,
  Recently i have done root mirroring. After creating svm volumes, i ran the metadb command to create state database replicas on the replaced disk. I created only one replica that time. I tried creating additional replicas but it said like replica already exist on the slice. So i deleted the replica on the slice. Thn i created 3 replicas again & ran metadb. Output of metadb command is below. I found there is not master flag not set for any replica. I like to know whether it would create any issue or it is fine.
  flags first blk block count
  a u 16 8192 /dev/dsk/c1t0d0s7
  a u 8208 8192 /dev/dsk/c1t0d0s7
  a u 16400 8192 /dev/dsk/c1t0d0s7
  a p luo 16 8192 /dev/dsk/c1t1d0s7
  a p luo 8208 8192 /dev/dsk/c1t1d0s7
  a p luo 16400 8192 /dev/dsk/c1t1d0s7

  That shouldn't be any problem, i think the metadb's are just read at boot, and at boot one of the replicas will be choosen as the master, and will then get the m-flag.
  I suspect that you deleted the replica which was used as the master during the last boot, which is why none of your replicas have the m-flag at the moment, which is not a problem as it will be choosing a new replica during the next boot.
  .7/M.

• ACS database not functioning after changing secondary acs ip.

  Hi.. im having 2 ACS 3.1 server. ACS01 (Primary) & ACS02 (Secondary). Recently we have moved ACS02 to another site and changed its ip address.
  When we do database replication from ACS01, we received error message saying that ACS02 has denied replication request.
  Any idea whats may be the problem ?

  Consider these points when you implement the Cisco Secure database replication feature:
  1) ACS only supports database replication to other ACS servers. All ACS servers that participate in Cisco Secure database replication must run the same version and patch level of ACS.
  2)The primary server transmits the compressed, encrypted copy of its database components to the secondary server. This transmission occurs over a TCP connection, with port 2000. The TCP session is authenticated and uses an encrypted, Cisco-proprietary protocol.
  3)Only suitably configured, valid ACS hosts can be secondary servers. To add a secondary server, configure it in the AAA Servers table in the Network Configuration section of this document. When a server is added to the AAA Servers table, the server appears for selection as a secondary server in the AAA Servers list under Replication Partners, on the Cisco Secure database replication page.
  4)The primary server must be configured as an AAA server and must have a key. The secondary server must have the primary server configured as an AAA server and its key for the primary server must match the primary servers own key.
  5)Replication to secondary servers takes place sequentially in the order listed in the Replication list under Replication Partners, on the Cisco Secure database replication page. 6)The secondary server, which receives the replicated components, must be configured to accept database replication from the primary server. To configure a secondary server for database replication, refer to the Configuring a Secondary Cisco Secure ACS Server section of this document.
  7)ACS does not support bi-directional database replication. The secondary server, which receives the replicated components, verifies that the primary server is not on its Replication list. If not, the secondary server accepts the replicated components. If so, it rejects the components.
  8)To replicate user-defined RADIUS vendor and vendor-specific attribute (VSA) configurations successfully, the definitions to be replicated must be identical on the primary and secondary servers. This includes the RADIUS vendor slots the user-defined RADIUS vendors occupy. For more information about user-defined RADIUS vendors and VSAs, refer to the User-Defined RADIUS Vendors and VSA Sets section of the document Cisco Secure ACS Command-Line Database Utility.