ACS's replication

Similar Messages

• ACS Database Replication

  I have 2 ACS server
  - ACS Appliance(v4.0)
  - ACS Server fo Window(v3.0)
  I want to design Primary ACS Appliance and Secondary ACS for Window
  I know the method For ACS Database replication
  Thanks
  cheolhyeon

  Hello Hanwu
  Please send a the screenshot of replication page from primary server.
  thanks
  Devashree

• ACS server replication Query

  Hi All ,
              I have two ACS server primary & secondary server . New secondary server to be deployed into network . My primary ACS server has got 1000 AAA clients configured with 15000 user id configured in multiple group profile . My question over here is when i do database replication between primary and secondary ,whether entire databse will be replicated from my primary server to secondary server like all AAA clients and end user , group profile , interface configuation etc , else it will replication has got restriction for database .
  Totally : AAA clients & User ID will be on one database backup   or it will reside on differnt location
  kindly clarify me over here ,Thank you .

  Hi,
  The entire Database will get over written in case of database restore.
  You use ACS Database Replication to copy various  components of the ACS internal database to other ACSs. This method can  help you plan a failover AAA architecture, and reduce the complexity of  your configuration and maintenance tasks.
  The components that can be replicated are:
  User and group database
  Group database only
  Network Configuration Device  tables
  Distribution table
  Interface configuration
  Interface security settings
  Password validation settings
  EAP-FAST master keys and policies
  Network Access Profiles
  Logging Configuration  (Enable/Disable Settings)
  The following link will give you details of the database replication.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756304
  Hope this helps.
  Regards,
  Anisha
  P.S.: Please mark this thread as resolved if you feel your query is resolved. do rate helpful posts.

• ACS Database Replication over VPN with overlapping Network Addresses

  We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
  As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
  Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
  All provided info and comments are greatly appreciated.

  I can help with the 3005 setup if you decide to go that route.
  You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
  You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
  You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
  Use a static Nat type. The rest will look similar to my example.
  Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
  Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

• ACS Database Replication between SE and Windows

  I currently have 2 Windows ACS servers (4.0.1.27) in production and replicating databases. I also have a solution engine (appliance) running 4.1.4.13.7. I plan to upgrade the Windows ACS servers to 4.1.4.13.7 (same as the SE). I know that the software versions have to match for replication to work. Recently, I received conflicting information about database replication. I was told that a ACS SE (solution engine 1113) can not replicate to a Windows ACS server, even if the software versions match. Before I change my production environment, I thought would seek out additional input.

  Yes, you can replication acs windows with acs appliance. It works fine.
  Regards,
  ~JG

• ACS SE Replication to ACS

  Greetings All,
  I am putting in a ACS SE and ACS. Both Running 4.2 Build 124 Patch 6. Can you give a clear instruction set to sync the two. I am looking through the user guides and the process seems somewhat unclear on a few details.
  thanks.

  Make sure that If you intend to use cascading replication to replicate network configuration device tables, you must configure the primary ACS with all ACSs that will receive replicated database components, regardless of whether they receive replication directly or indirectly from the primary ACS.
  For the further description about the replication of ACS following URL may help you :
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html#wp756168

• About Secure ACS Database Replication configure

  hi
       I have INSTALL the acs and the ACS DATABASE HAS replicated complete.
  but when I made some change ,the primary ACS has generate *.csv file.
  this file can replicated to the secondary ACS.
       THANKS

  Can you please clarify your issue? The post is not clear.
  Regards

• ACS 4.2 Database replication issue

  Hello Experts,
  Hope you are all doing well. I need your help in ACS database replication, I want to do replication between ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. I also did wireshark captures on the interfaces but no traffic is initiated when i press replicate now button. Initially i thought its a machine issue, but same behavior is shown when i swapped primary----to secondary. There are other applications running on both the servers which requires JAVA. Like Cisco IME etc. Can it be JAVA issue? Please help me out. i am using Release 4.2(0) Build 124 on both servers.Attached below is the Replication LOG snapshot,
  Regards,
  Rizwan.

  https://supportforums.cisco.com/discussion/11382366/problems-witch-acs-42-replication
  https://supportforums.cisco.com/discussion/11363046/replication-problem-acs-ver-42

• User Password Not Replicated during ACS Replication

  I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.
  Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.
  How to make sure replication is run even in case of user password change and not just when a user is added or removed.

  Hi,
  What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?
  Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on
  configuration/changes in Active Directory itself.
  Regards,
  Jagdeep

• Sudden failed authentications for user@domain

  Hello,
  We are running 6 ACS 4.1 servers on Windows 2003 Servers. These servers are not the same as the Domain Controllers.
  Since many years, we have devices sending their username in the format domain\user and some other use user@domain. Everything was working well in our 6 ACS servers.
  Suddenly, this morning, as 06:00:25, on one single server, all the request using user@domain were reported as failed with the follwowing message in the ACS logs: "External DB user invalid or bad password".
  We first thought that the DC near the ACS server was the cause of the issue, but we observe that all the other ACS servers could process these user@domain AAA queries without problem. We then rebooted the ACS server and when it went back up, everything was running again like a charm.
  We could not find what happened at 06:00:25. There is no Windows Scheduled Tasks at that time, and there is no ACS DB Replication or Backup running at that time neither.
  Can someone help us troubleshooting that issue that affected only one single server in an unexpected way ?
  Thanks a lot,
  David Mayor

  Hello Anisha,
  I understand that with new installation, such post tasks are required. However, our installation is running in such a state for more than 2 or 3 years. And it is only over the past week that such problem happens twice.
  We have also observed one more thing: You know that the main problem started few seconds after 6 AM, in both days when it happened. We observed that between 00:02 (midnight + about 2 minutes) and 01:05 AM, the same problems happens also ! But, at 01:05 AM, the problem automatically goes away without any intervention. However, when it happens again at 6 AM, we have to restart the server, because otherwise it would not automatically recover.
  Didn't you find anything else than "error Windows authentication FAILED (error 1326L)" on the full log ?
  Thanks a lot,
  With my very best regards,
  David Mayor

• ACS 4.2 - is it possible to change replication port?

  Hi,
  trying to find out if it some tweek to change the ACS replication port TCP/2000 to something else.
  I know it's possible to make a different policy-map or to not inspect the Skinny protocol to avoid conflict, but that not the solution I'm looking for. Wondering if anybody knows of a different way to change the replication port in ACS 4.2.

  Hi,
  what is the version of ACS you are running?
  If you are running ACS 4.2.1.15 then,
  Problem :
  =========
  ACS replication port re-configuration.
  Resolution :
  ============
  Please follow the following steps:
  1.       Interface configuration > Advanced Options > Check the checkbox ACS
  Communication Port Configuration.
  2.       System Configuration > service control > Configure the Port to be
  used for the ACS Internal Communication (choose any port between 2010 to
  2025)
  Regards,
  Anisha
  P.S.: please mark this thread as resolved if you think your query is answered.

• ACS replication issue on VMware ESX 3.5

  I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?
  Thanks.

  Hi,
  I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.
  The primary server must be configured as an AAA server and must have a key.
  The secondary server must have the primary server configured as an AAA
  server and its key for the primary server must match the primary servers own
  key. The shared secret key should be same on the both the ACS's.
  I am sending you one link for Setting Up Replication for Cisco Secure ACS, I
  am sure this example with screen shots gives you better understanding.
  Please visit the below suggested ULR:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration
  _example09186a00800e518a.shtml
  If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.
  HTH
  JK
  -Plz rate helpful posts-

• ACS 4.2 replication issue

  We recently upgraded to ACS 4.2. All works perfectly except for replication. I now receive an error
  ACS Internal Database Replication Errors
  1.To disable receiving of EAP-FAST replication component, "EAP-FAST master server" must be enabled on "Global Authentication Setup" page
  We are not using EAP-FAST and it doen't appear to be enabled. EAP-FAST is not checked to replicate.

  I looked at that when I first got the issue. It saya that the server is Master. If I tick the box nothing changes and when I go back to that "Global Authentication" page the box is no longer ticked. The issue is the same on both the Primary Server and the Backup Server.

• CiscoSecure ACS 4.1(1) Build 23 Patch 5 :database replication fails; possibly short timeout or dead

  Hi,
  Since some time we are struggling to get database replication working.
  On the primary server it is reporting the following on "Database Replication active.csv""
  07/21/2010
  14:22:58
  SZ0910
  WARNING
  ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
  07/21/2010
  14:12:08
  SZ0910
  INFO
  Outbound replication cycle starting...
  In CSMon.log following is logged:
  CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
  CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
  CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected Level:2 Message:Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State 0 6 Event Detected Level:2 Message:Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped State 0 3 Event Detected Level:2 Message:Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
  CSMon 07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted. Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted. Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon 07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event Detected Level:2 Message:Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon 07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected Level:4 Message:Service pause timed out. Please check the timeout settings for Replication and Backup
  I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
  But still replication fails.
  There is no firewall in between.
  Both ACS servers running on MS Windows Server  2003, SP2.
  Can anybody help me in the right direction what could be possible cause of this or where else I can look for logging for further troubleshooting?
  Thanks in advance for your help.

  Hi,
  Since some time we are struggling to get database replication working.
  On the primary server it is reporting the following on "Database Replication active.csv""
  07/21/2010
  14:22:58
  SZ0910
  WARNING
  ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
  07/21/2010
  14:12:08
  SZ0910
  INFO
  Outbound replication cycle starting...
  In CSMon.log following is logged:
  CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
  CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
  CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
  CSMon
  07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected
  Level:2 Message:Service CSAuth has been suspended for a configured
  function to proceed. Monitoring will suspend until the service is
  restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State
  0 6 Event Detected Level:2 Message:Service CSLog has been stopped or
  paused by the system. Monitoring will suspend until the service is
  restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped
  State 0 3 Event Detected Level:2 Message:Service CSRadius has been
  stopped or paused by the system. Monitoring will suspend until the
  service is restarted
  CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
  CSMon
  07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has
  been suspended for a configured function to proceed. Monitoring will
  suspend until the service is restarted. Service CSLog has been stopped
  or paused by the system. Monitoring will suspend until the service is
  restarted. Service CSRadius has been stopped or paused by the system.
  Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon
  07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event
  Detected Level:2 Message:Service CSTacacs has been stopped or paused by
  the system. Monitoring will suspend until the service is restarted
  CSMon
  07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has
  been stopped or paused by the system. Monitoring will suspend until the
  service is restarted. '
  CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon
  07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected
  Level:4 Message:Service pause timed out. Please check the timeout
  settings for Replication and Backup
  I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
  But still replication fails.
  There is no firewall in between.
  Both ACS servers running on MS Windows Server  2003, SP2.
  Can
  anybody help me in the right direction what could be possible cause of
  this or where else I can look for logging for further troubleshooting?
  Thanks in advance for your help.
  Hi,
  Also check the port number TCP 2000 this is the replication port which needs to be opened between the primary and secondary ACS.
  Hope to Help !!
  Ganesh.H

• ACS 4.2 to ACS 5.4 database replication

  Hello All,
  I would like to know if its possible setup database replication from Cisco ACS 4.2 server to ACS 5.4 server ?
  Thanks in advance
  Mohsin Saleem

  Unfortunately, database replication (trigger update) cannot be performed as it requires both the ACS boxes to run same code.
  If you meant migration then yes that can be done.
  Migrating from ACS 4.x to ACS 5.4
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/migrate.html
  Jatin Katyal
  - Do rate helpful posts -