ACS Replication

Hi,
I currently trying to set up replication between two ACS servers (installed on windows) both running software version 4.2.1.15.
The replication completes ok (as shown in the logs on both servers), but the replicated config is not showing on the secondary server.
So for example - I have 'Network Configuration Device Tables' checked on both servers (send on primary / receive on secondary), but these configured devices do no show under 'Network Configuration' when the replication has completed.
Has anyone seen this issue before? or is there something I am missing here?
Kind Regards
Terry

Set the log level detail to full (System Configuration -> Service Control) and restart the services, then replicate again, and then look at the log files in the ACS services directories, in particular CSAuth.

Similar Messages

  • ACS replication issue on VMware ESX 3.5

    I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?
    Thanks.

    Hi,
    I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.
    The primary server must be configured as an AAA server and must have a key.
    The secondary server must have the primary server configured as an AAA
    server and its key for the primary server must match the primary servers own
    key. The shared secret key should be same on the both the ACS's.
    I am sending you one link for Setting Up Replication for Cisco Secure ACS, I
    am sure this example with screen shots gives you better understanding.
    Please visit the below suggested ULR:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration
    _example09186a00800e518a.shtml
    If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.
    HTH
    JK
    -Plz rate helpful posts-

  • Issues with ACS replication

    We have 2 ACS appliances that are separated by a WAN.
    Both appliances are at the same software version and I have replication set up per Cisco's (as well as others') directions.
    When I run replication, I get the error "Cannot replicate to 'ciscoacs2' - server not responding".
    If I try replication in the other direction, I get the same error.
    I can ping both appliances and access the web interface from both subnets.
    There is a firewall between them, but I have port 2000 open and I do not see any other deny messages relating to the ACS replication in the firewall logging.
    I ran a sniffer on the receiving appliance's port and got the following:
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [SYN] Seq=0 Win=65535 Len=0 MSS=1380
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [ACK] Seq=1 Ack=1 Win=65535 Len=0
    10.127.80.63 10.127.101.5 TCP cisco-sccp > evb-elm [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
    10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [RST] Seq=25 Win=0 Len=0
    10.127.80.63 10.127.101.5 TCP [TCP Dup ACK 1515#1] cisco-sccp > evb-elm [ACK] Seq=1 Ack=1 Win=65535 Len=0
    Logging on the devices themselves is terrible, so I really have no idea what would be causing replication to fail.
    Thanks.
    Jason

    One update if it will help. I've been doing some research and I found that ACS replication doesn't like NAT and replication will fail if the IP address is changed through NAT.
    While NAT is running on the firewall that our ACS appliance is behind, there is a static mapping to basically keep the NAT address the same. So NAT is being applied, but NAT is just giving it the same address.
    I don't know if the NAT process is what's causing the problem? Based on the sniff I posted earlier, the source address of 101.5 is the IP of the ACS appliance.
    Taking the device out from behind the firewall could be an option, but it would be a last resort because we would then need to reconfigure all of our equipment to point to the new address, and we have a lot of equipment.
    Thanks.
    Jason

  • ACS Replication does not replicate all users

    Hello,
    we have two ACS 4.0 solution engines. both are configured correct for acs replication. after starting the replication not all users from the primary ACS are replicated to the slave ACS. All uses are in different groups and the not replicated users are not in the local or unknown user group.
    does anybody have a hint to resolve this problem?
    regards
    Torsten

    I have deleted a user which was dynamicly discovered and afterwards added to a user group. After added the user manually again the replication was successfull.
    Thank you.

  • User Password Not Replicated during ACS Replication

    I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.
    Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.
    How to make sure replication is run even in case of user password change and not just when a user is added or removed.

    Hi,
    What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?
    Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on
    configuration/changes in Active Directory itself.
    Regards,
    Jagdeep

  • Best Practises with ACS Replication & external databases

    I am looking for a best practise with the following scenario:
    2 ACS Servers in 2 separate locations, each providing mutual backup to each other - i.e. all devices/users in Site X point to local ACS Server X 1st and remote ACS Server Y 2nd. In Site Y the devices/users point to the local ACS Server Y 1st and remote ACS Server X 2nd. This works fine; currently Server X replicates the Database to Server Y.
    In the future we will be implementing a remote LDAP database and will forward unknown users to this database for authentication. As I understand it if an unknown user exists on the LDAP database then the ACS Server will create a local account (depending the mapping policy etc) and point the password at the remote LDAP server. If we replicate from Server X to Server Y, but Server Y has created an account for an unknown user will this get deleted on replication? Is there a best practise to handle this scenario?
    Andy

    I could not find a best practices document as such but a lot of ground is covered in the document 'CiscoSecure Database Replication' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sad.htm#wp755988.

  • ACS Replication Issue

    Yesterday we had two ACS 4.0 servers installed on Windows 2000 Domain Controllers that were working great. ACS1 was the primary server and replication was configured to send to ACS2. ACS2 replication was configured to receive from ACS1.
    We lost ACS2 yesterday so I installed ACS 4 on a 2003 Domain Controller (ACS3). I installed ACS3, went into network configuration and added ACS1 as an AAA server.
    I then logged onto ACS1 and added ACS3 as an AAA server and configured ACS3 as a replication partner.
    It is not replicating - if I look at the log I get
    ERROR, ACS 'ACS3' has denied replication request
    I do not have the primary as a replication on the secondary.
    I have some screen shots of the configuration from ACS2 and I've duplicated everything I've could (except for name and IP).
    Any ideas on what I can try next?

    I had what seems to be the same issue.
    In my case I have two ACS SE 1113 appliances, but the issue could still be the same with your Windows servers.
    The appliance has two NIC's - I had both of the NIC's connected. Although the appliance only allows you to use the Primary NIC (the bottom one) ACS still detected the Secondary NIC and creates an additional "AAA Server" entry under the "Network Configuration" tab called "self". You should only have one "self" entry in your AAA Server list, not two.
    Unfortunately I couldn't find a way to undo this. So I disconnected the Secondary NIC (the top one) and used the recovery CD to reload both of my ACS devices. Now everything works just fine.
    - Nate

  • ACS replication and IP pools server

    Hi, I have 2 ACS 3.3.2 with replication active and IP pools server function active.
    I know that the IP pools definitions are not replicated but the group associations with pools are.
    What's the best way to manage the IP pools on the 2 ACSs ?
    60% of the pool on the first and 40% on the second ?
    Or is there a way to infor the second ACS of the single IP assigned by the first ACS to avoid overlapping, in case of failure of the first ACS ?
    Thank you in advance
    greatings
    Renato

    IP pools are purposely not replicated automatically, no way around it. This is to avoid the situation where users authenticating to two different ACS servers get allocated the same IP address.
    Basically there's nothing in ACS where the primary and backups talk to each other about what IP addresses they've allocated (this woul be huge task and require some new sort of communication mechanism between servers). If the same IP pool is configured on all 3 servers, they'll just blindly allocate the next available IP address to users, and you'll run into scenario's where two (or more) users get given the same address.
    The pool is therefore purposely not replicated, which means you have to go in manually and configure it, making sure you configure a UNIQUE pool across the 3 servers. This only has to be done once and is then there forever.

  • ACS Replication Windows and Appliance

    We have a situation where two existing 3.2.1 ACS servers are replicated. The boxes is to be replaced by ACS appliances running 3.3.2. The problem is however that we cannot replicate between different versions.
    We are planning on upgrading the master server to 3.3.2, then removing the replicated host, installing the ACS applicance in its place and starting the replication again.
    Anyone done this? Will it work, WIN -> ACSAppliance?
    Also, is there a way the backup file on the WIN ACS can be restored to a ACSAppliance? Might be a cleaner solution to restore the backups of both boxes into the ACS appliance, that way we do not potentialy damage the live environment?
    Any ideas greatly appreciated.

    You can have database replication running between different versions, but the versions can only vary in minor versions, not major versions. For instance, you can replicate between a 3.2.2 and a 3.2.3 version, but you could not replicate between 3.2.x and 3.3.x.

  • ACS replication error

    I have a primary ACS with IP address 10.250.97.29/24. it is working fine.
    Now I would like to add a secondary
    ACS with IP 10.250.97.50/24. Both
    ACS 4.1 are identical with version 23
    patch 5. both are running on Win2k3
    with Service Pack 2. Both Win2k3 are
    domain controllers in the same forest.
    I followed the guide in Cisco CCO for
    replication but when I tried to
    replicate from the primary I get this:
    Outbound replication cycle starting..
    ACS 'lab-test' has denied replication request
    Outbound replication cycle completed
    lab-lcs the primary ACS and lab-test
    is the secondary ACS.
    on the lab-test, I see this:
    Inbound database replication from ACS 'lab-lcs' denied
    on the lab-lcs, I configured it to
    accept replication from the Primary
    ACS.
    Anyone know why it is not working?
    Thanks.

    ensure that you do not have Primary ACS server entry under "Replication Partner" column on Secondary ACS configuration for Internal Database Replication section. It should be under "AAA Server" under Replication section.
    Regards,
    Prem

  • ACS replication and NAT

    Hi all,
    I've the following question: is it possible to set up a replication between 2 server running the same version of ACS, but with 1 server behind a PIX running static NAT (private IP address of one server is statically mapped to a public address)?
    I was able to manage the replication when the two servers on the same LAN, but when I move the second server on the private LAN I obtain error "shared secret mismatch".
    Any idea?
    Thanks
    Regards
    Roberto

    ACs versions 3.1 and greater will not work with replication and NAT'ing. The security of the replication process was increased in these version, and the originating server hashes it's own IP address (the non-NAT'd version of it) into the data to be used as part of the verification process.
    If the receiving server sees this from a different IP address due to the NAT'ing then it will fail and produce the "shared secret mismatch" error you're seeing.
    Sorry, no way around it unfortunately.

  • ACS 4.2 - is it possible to change replication port?

    Hi,
    trying to find out if it some tweek to change the ACS replication port TCP/2000 to something else.
    I know it's possible to make a different policy-map or to not inspect the Skinny protocol to avoid conflict, but that not the solution I'm looking for. Wondering if anybody knows of a different way to change the replication port in ACS 4.2.

    Hi,
    what is the version of ACS you are running?
    If you are running ACS 4.2.1.15 then,
    Problem :
    =========
    ACS replication port re-configuration.
    Resolution :
    ============
    Please follow the following steps:
    1.       Interface configuration > Advanced Options > Check the checkbox ACS
    Communication Port Configuration.
    2.       System Configuration > service control > Configure the Port to be
    used for the ACS Internal Communication (choose any port between 2010 to
    2025)
    Regards,
    Anisha
    P.S.: please mark this thread as resolved if you think your query is answered.

  • ACS 4.2 Database replication issue

    Hello Experts,
    Hope you are all doing well. I need your help in ACS database replication, I want to do replication between ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. I also did wireshark captures on the interfaces but no traffic is initiated when i press replicate now button. Initially i thought its a machine issue, but same behavior is shown when i swapped primary----to secondary. There are other applications running on both the servers which requires JAVA. Like Cisco IME etc. Can it be JAVA issue? Please help me out. i am using Release 4.2(0) Build 124 on both servers.Attached below is the Replication LOG snapshot,
    Regards,
    Rizwan.

    https://supportforums.cisco.com/discussion/11382366/problems-witch-acs-42-replication
    https://supportforums.cisco.com/discussion/11363046/replication-problem-acs-ver-42

  • DB replication Problem

    I am running ACS and are rehosting one of our machiens to a VM. Since is it our master that we are rehosting, I would like to first sync to the new VM from them physical box.
    All services are up on the VM instance, but syncing the DB does not happen as the reported service is not running.
    Been looking at the available doc and the only proboble cause for this to happen is if there is a FW in between and to remove skinny inspection.
    There is no FW in between either machine, just on different segment. Would there be any other reason this would happen ?

    Here is the ACS replication check list, please verify in your ACS configuration to see if DB replication is set up correctly.
    1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication
    2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.
    3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.
    4) Ensure that the secondary server has its replication scheduling set to "manual".
    5) Please verify that your servers are all running exactly the same ACS version and build. You can verify this at the bottom of the screen when you first login to CSAdmin.
    Regards,
    ~JG
    Do rate helpful posts

  • ACS load balancing

    if i have CSS and i want to load balance between 2 ACS . do i have to make one of them active and seoncde backup or i can load balance between bother server .
    if yes is this will not effect the authentication and databse .
    if there is any artical it wile be more better

    Hi,
    Cisco ACS has a replication feature that allows you to have more than one (1) ACS servers/appliances to provide high-availability/ redundancy. In this case, you will have one primary and more than one secondary (backup) servers.
    The database replication creates mirror systems of ACSs by duplicating parts of the primary ACS setup to one or more secondary ACSs. Without load-balancer, you need to add both primary and secondary ACSs in all AAA clients as backup if the primary ACS fails or is unreachable. With a secondary ACS whose ACS internal database is a replica of the ACS internal database on the primary ACS, if the primary ACS goes out of service, incoming requests are authenticated without network downtime, provided that your AAA clients are configured to fail over to the secondary ACS.
    The following url provides you with details on how the ACS replication is performed:
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sad.htm#wp756102
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/index.htm
    I am not sure about load-balancing two ACSs, but you probably can try this. Behind a load-balancer, maintain the primary/secondary server setup to enable replication (selected items only) from primary to secondary ACS. But pls bear in mind, in replication, only the Primary ACS can send update to backup server, not bidirectional. Backup/secondary ACS can only receive updates. Use the replication features as an update tool between the servers. All changes/updates must be made in your primary ACS only.
    In normal ACS replication, all AAA clients need to specify primary and secondary ACS server as backup. With load-balancer, only one (1) IP need is required, which is the virtual IP assigned by load-balancer to represent the two ACSs.
    Rgds,
    AK

Maybe you are looking for