ACS v5.4 Patch 1.

Similar Messages

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Cisco ACS 5.3 patch 8 OPT Volume

  Hello,
  We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.
  The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.
  In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.
  This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.
  Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.
  The questions I have is:
  At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
  Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
  We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.
  We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.
  Thanks,

  In distributed setup, its recommended to configure a dedicated  secondary server as a log collector. However you've a large deployment  so I'm sure authentication rate would be high too causing view-database  size keep on increasing.
  In order to prevent running out of disk space we need  to manage it. That means identifying the files that are created and  written to by  processes on the system, allocating a space budget to  them such that if  the files stay within their budget all services can  be supported without  interruption, and then defining and implementing  facilities to keep  those files within their budget.
  There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
  1. Purge: In this mechanism the data will be purged based  on the  configured data retention period or upon reaching the upper  limit of the  database.  In Patch 6 new option provided to do on demand  purge as  well.
  2. Compress: This mechanism frees up  unused space in the  database without deleting any records. Before the  compress option could  only be run manually.  In ACS 5.3 Patch 6 there  are enhancements so it  will run daily at a predefined time, automatically when specific  criteria are met.
  At what percentage size for the OPT volume should we be  concerned before it starts impacting the performance of the Log  Collector?
  TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.
  Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
  It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
  - Please use System Administration >  Configuration > Log  Configuration >  Logging Categories >  Global To configure sending  only the required logs to the ACS View log-collector.
  - Provide the fresh screenshot of the page Monitoring   Configuration > System Operations > Data Management > Removal   and Backup.
  - With the below listed command you can check the actual and physical size of the MnT database
       acs-config
       Username: acsadmin
       Password: ***********
       acsview show-dbsize
  There are few known defects on the same issue. However, the version you're running improves database management processes.
  CSCto47203: ACS 5 runs out of disk space
  CSCua51804: View backup fails   even when there is space in disk
  Jatin Katyal
  - Do rate helpful posts -

• Upgrade from ACS 5.4 patch 6 to ACS 5.5 patch 4 advice

  Hi,
  I have a pair of ACS 5.4 patch 6 running on VMWare as primary/secondary with Active Directory integration
  working without any issues.
  I would like to upgrade them to ACS 5.5 patch 4.  Here is my plan:
  1- De-register the Secondary ACS 5.4 patch 6
  2- shutdow the de-register Secondary ACS 5.4 patch 6
  2- Take a backup of the Stand-alone Primary ACS 5.4 patch 6
  3- shutdown the Primary ACS 5.4 patch 6,
  4- build a brand new ACS 5.5 with the same name and IP address as the previous Primary ACS 5.4 patch 6
  5- patch the ACS 5.5 with patch 4,
  6- perform a restore of the old ACS 5.4 patch 6 backup on the Primary ACS 5.5 patch 4,
  7- Re-join the ACS 5.5 patch 4 with Active Directory,
  8- build a brand new ACS 5.5 to be with the same name and IP address as the previous Secondary ACS 5.4 patch 6
  9- patch the new Secondary ACS 5.5 to be with patch 4,
  10- join the new Secondary ACS 5.5 patch 4 with Active Directory,
  11- join the new ACS 5.5 patch 4 in step 4 as the Secondary ACS,
  12- validate
  Anyone see any issues with this?  I used the same steps when I upgrade from ACS 5.2 patch 3 to ACS 5.4 patch 6
  Thanks in advance

  Thank you for confirming this.  I've had horrible experiences with in-place upgrade many times so I just do not trust the in-place upgrade.
  I went back and look at my note and I think this will work, assume prod-acs1 is the Primary and prod-acs2 is the Secondary ACS:
  a- de-register the prod-acs2
  b- take a backup of prod-acs1
  c- rebuild the prod-acs2 with the same hostname and IP address of the old prod-acs2 for ACS 5.5 patch 4
  d- do a restore on prod-acs2 with the backup in step b,
  e- re-register prod-acs2 with Active Directory.  Now I have two instances of prod-acs1 and prod-acs2 with different databases but it still works because network devices on the don't know that.
  f- validate that prod-acs2 is working properly by shutting down prod-acs1
  h- Once prod-acs2 is working properly, rebuild prod-acs1,
  i- re-register prod-acs1 with Active Directory,
  j- join prod-acs1 as Secondary ACS to prod-acs2,
  k- validate that proc-acs1 is working properly by shutting down prod-acs2,
  l- now make prod-acs1 Primary and prod-acs2 Secondary,
  I just want to make sure that I can "restore" ACS backup from 5.4 patch 6 to ACS 5.5 patch 4 without any issues.
  comments?

• ACS 5.0 Patches

  Hi all,
  is there any patches available for ACS 5.0 system 90 day eval?
  I'm evaluating ACS on vmware platform.
  The 5-0-0-21-6.tar.tar patch doesn't seem to be a valid file to do it.
  The readme file talk about a .gpg file but the patch i've downloaded is a .tar fiel and it is impossible to untar it.

  Yes , thanks,
  But that's not my question.
  What i said is that the patch file available on cisco site seem not to be useful to load and run in the "ACS 5.0 features an improved, centralized management of software updates ".
  I mean, i've searched for the patch file, stored on my pc, activated a tftp server and tried to run the patch from the GUI of the ACS, it stand still in upgrading phase for a long time and nothing happened.
  In ACS gui the patch file is named .gpg but on cisco site no gpg file exist!!
  So , what is the right file to do upgrade?

• Register Secondary ACS with Primary ACS 5.4 patch 6 and getting error

  Scenario #1:
  prodacs1 and prodacs2 version 5.4 patch 6 with IP address of 10.1.1.1/24 and 10.1.1.2/24, respectively.  
  Both prodacs1 and prodacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory
  and authenticate users to manage Cisco routers and switches without any issues.  prodacs1 is the Primary
  and prodacs2 is the Secondary.  BOTH prodacs1 and prodacs2 USE THE SAME LICENSE.  Both prodacs1 and
  prodacs2 are resolved in DNS for both forward and reverse lookup.  In this production environment, everything is working as expected.
  Scenario #2:  NEW deployment in the lab
  labdacs1 and labacs2 version 5.4 patch 6 with IP address of 192.168.1.1/24 and 192.168.1.2/24, respectively.  
  Both labacs1 and labacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory.  BOTH
  labacs1 and labacs2 USE THE SAME LICENSE as scenario #1.  Both labacs1 and labacs2 are resolved in DNS for both
  forward and reverse lookup.
  However, when I tried to add labacs2 into labacs1 so that labacs2 is the secondary and labacs1 to be the
  primary.  From labacs2 interface: System Administration >Operations >Local Operations >Deployment Operations,
  I enter the hostname/IP address, username/password of labacs1, then I click on "Register with Primary", I get
  this message:
  This System Failure occurred:  server cannot be added to the deployment.
  Server has same License ID as server labacs1 that already exists in the deployment.
  Your changes have not been saved.Click OK to return to the list page.
  Why is not working?  Furthermore, why is it working in one environment but not the other with the same
  idetical ACS version & patch.  Work in production environment but not other.
  Anyone has run into this before?  how do you fix this?

  What type of license are you using in first deployment?
  There are 2 type of licenses 
  Base license - Install a unique base license for each of the ACS secondary servers in the deployment.
  Large Deployment add-on license - It allows a deployment to support more than 500 network devices. Only one Large Deployment license is required per deployment, as it is shared by all instances
  Please check what type of license are you running in your deployment.
  In order to fix issue in your 2nd deployment you need reset-application config on your secondary, install the new unique base license (based on show udi) and register it to primary node to get the configuration replicated.
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ACS 5.4 patch 6

  Hi Everyone,
  I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24.
  Connectivity between them is ok, same subnets.  I register CiscoACS2 with CiscoACS1 and everything is working fine, including Active Directory.  Both of these ACSes are used to authenticate my network devices.
  Every time I use the webUI to log into the Secondary ACS (https://CiscoACS2), I can see that the CiscoACS2 is synced with CiscoACS1, the status is always "UPDATED"
  However, if I webUI into the Primary ACS (https://CiscoACS1), I always see CiscoACS2 as "pending". 
  I've tried to do "full replication" and eventually it will show up as "UPDATED" but a few hours later, it will show up as "PENDING".
  Anyone knows why?  Is this a "bug"?
  Thanks in advance.

  Hi,
  If replication status on ACS1 GUI is showing pending then you know, full replication happens over the Sybase DB TCP port 2638, so your port need to be open in firewall.

• How to upgrade the patches in ACS 5.1

  I want to upgrade the acs 5.1 in distributed system. We have one hub/ primary ACS and two other spoke / secodary acs. I have following querry.
  Will it be possible to upgrad only one Secondary server.>
  Will updated secondary ACS will able to sych it configuration with primary acs running on older version?
  Will updated secondary acs will retain the current configuration and authenticate the client.?

  Current version of ACS system is 5.1.0.44
  Primary ACS is also working as log collector.
  I have downloaded the patch 5.1.0.44.6.rar.rar, so i belive i should rename it to 5.1.0.44.6.tar.gpg.
  so if i want to upgrade my ACS system:
  I will have to do following steps:
  de-register secondary ACS from primary and take the backup of secondary ACS
  update the patch using repository.
  finally i will have to upgrade the primary ACS.
  I would like to know what is the difference between installing / updating  patch and  Upgrade the ADE-OS version which is shown as second step in cisco.com site.

• Apply patch to acs Appliance

  I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
  Some were I read that is necessary a tomcat server?
  Please help
  adi

  Hi,
  ACS v4.1.1.23 patch 5 is available so go for this new patch.
  You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
  Follow the steps below on the PC:
  [1] Extract zipped file
  [2] Look for ?autorun.exe? file and double click on it
  [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
  SE ip address :
  Provide in the ACS SE ip address and press ?Install?
  [4] It will prompt for ACS admin username and password as shown below :
  Provide in the username and password and login.
  [5] Then it bring up ACS GUI, then go to
  System Configuration > Appliance Upgrade Status > Download,
  Then we?ll get a screen where it will ask for ip address of Install Server :
  Provide in ip address of system from where we are applying this patch, in our case our
  desktop ip address, then click connect.
  [6] It will show us following screen :
  Click on ?Download Now?
  Then it?ll show us this screen :
  Press ?Refresh? Till we see following screen :
  [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
  Press ?Upgrade?, then we?ll get information regarding the patch.
  Click ?Yes?.
  It?ll take few minutes to apply that patch on appliance.
  Then it?ll show us a confirmation message :
  Press ?Done?, then system will reboot.
  To confirm that patch has been applied successfully, goto
  System Configuration > Appliance Upgrade Status
  After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
  if you want to apply this patch on some more appliance click on ?Install Next?
  Hope this helps.
  ~Rohit

• ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

  Hi All
  Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
  Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
  I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
  Thanks
  pato

  Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
  server stuff has recently upgraded the Domain Controllers to 2008r2 and
  turned off the 2003 servers. This didn't make our ACS 4.1.4 really
  happy.I've read now serveral posts regarding issues with ACS and
  Server 2008r2 and hope to find a solution (besides switching to LDAP,
  yukk).Thankspato
  Hi Pato,
  Just check out the below link hope that help.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• ACS 5.3.0.40 On-demand Full Backup failed.

  Hi,
  I have ACS 5.3.0.40 Primary Secondary Authenticators , of which the Scheduled backup has stopped.
  When checked the :
  Monitoring Configuration >
  System Operations >
  Data Management >
  Removal and Backup
  > Incremental Backup , it had changed to OFF mode. without any reason.
  The same was observed earlier too.
  I have made the
  Incremental Backup to ON and intiated the
  View Full Database Backup Now. But it wasn't successful and reported an Error:
  FullBackupOnDemand-Job Incremental Backup Utility System Fri Dec 28 11:56:57 IST 2012 Incremental Backup Failed: CARS_APP_BACKUP_FAILED : -404 : Application backup error Failed
  Later i did the acs stop/start  "view-jobmanager" and  initiated the On-demand Full Backup , but no luck, same error reported this time too.
  Has any one faced similar type of error /problem reported , please let me know the solution.
  Thanks & Regards.

  One other thing; if this does end up being an issue with disk space it is worth considering patch 5.3.0.40.6 or later since improves database management processes
  This cumulative patch includes fixes/enhancements related to disk management to avoid following issue
  CSCtz24314: ACS 5.x *still* runs out of disk space
  and also fix for
  CSCua51804: View backup fails   even when there is space in disk
  Following is taken from the readme for this patch
     The Monitoring and Reporting database can increase when as records are collected. There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
  1. Purge: In this mechanism the data will be purged based on the configured data retention period or upon reaching the upper limit of the database.
  2. Compress: This mechanism frees up unused space in the database without deleting any records.
  Previously the compress option could only be run manually. In ACS 5.3 Patch 6 there are enhancements so it will run daily at a predefined time, automatically when specific criteria are met. Similarly by default purge job runs every day at 4 AM. In Patch 6 new option provided to do on demand purge as well.
  The new solution is to perform the Monitoring and Reporting database compress automatically.
  2.       New GUI option is provided to enable the Monitoring and Reporting database compress to run on every day at 5 AM. This can be configured under GUI Monitoring And Configuration -> System Operations -> Data Management -> Removal and Backup
  3.       Changed the upper and lower limit of purging of Monitoring and Reporting data. This is to make sure at lower limit itself ACS has enough space to take the backup. The maximum size allocated for monitoring and reporting database is 42% of /opt( 139 GB). The lower Limit at which ACS purges the data by taking the backup is 60% of maximum size Monitoring and Reporting database (83.42 GB). The upper limit at which ACS purges the data without taking backup is 80% of maximum size Monitoring and Reporting database (111.22 GB).
  4. The acsview-database compress operation stops all services till 5.3 patch 5 , now only Monitoring and Reporting related services are stopped during this operation.
  5. Provided “On demand purge” option in Monitoring and Reporting GUI. This option will not try to take any backup, it will purge the data based on window size configured.
  6. Even if the “Enable ACS View Database compress” option is not enabled in GUI then also automatic view database compress will be triggered if the physical size of Monitoring and Reporting database reached to the upper limit of its size.
  7. This automatic database compress takes place only when the “LogRecovery” feature is enabled, this is to make sure that the logging which happens during this operation will be recovered once this operation is completed. ACS generates alert when there is a need to do automatic database compress and also to enable this feature.
  8. Before enabling “LogRecovery” feature configure the Logging Categories in such way that only mandatory data to log into Local Log Target and Remote Log Target as Log collector under System Administration > ... > Configuration > Log Configuration
  This “LogRecovery” feature can recover the logs only if the logs are present under local log target.
  9       This automatic database compress operation also performed only when the difference between actual and physical size of Monitoring and Reporting database size is > 50GB.
  10 The new CLI “acsview” with option “show-dbsize” is provided to show the actual and physical size of the Monitoring and Reporting database. This is available in “acs-config” mode.
             acsview     show-dbsize     Show the actual and physical size of View DB and transaction log file

• ACS 5.3 Backup fails

  ACS 5.3 on VM- backup fails all the time. I opened several tickets with Cisco, but still no luck.
  Here is one of the log message I got during the backup. Maybe someone can point out what the issue is.
  debugd[2933]: [31965]: config:kron: cs_api.c[1142] [daemon]: occurrence occurrence_backup1 could not be deleted.

  I just did it on my ACS 5.4 patch 6 (running on VMWare) backup to a Windows 2003 FTP server and it works without any issues:
  repository ftp_192.168.1.129
    url ftp://192.168.1.129/
    user Administrator password hash e50ffb9aabc8ccebe066f6239efeaa1ab728a16f2b2
  labacs2/admin# backup labacs2 repository ftp_192.168.1.129
  % Creating backup with timestamped filename: labacs2-140628-2059.tar.gpg
  Calculating disk size for /opt/backup/backup-labacs2-1403989173
  Total size of backup files are 27 M.
  Max Size defined for backup files are 13339 M.
  labacs2/admin#

• Issue with changing Access Service in ACS 5.2

  Hi,
  I am working on lab setup where I installed ACS 5.2 I created new access service and used it in existing service selection rule (Rule-2) earlier but it didn't work. Later I created new service selection rule and applied new service access rule. However even after this change it keeps applying predefined default access access service. Please refer attached picture for better understanding.
  As shown, I want Aks-Rule to work and apply service 'Lab-Policy' however it keeps referring Rule-2 and applies 'Default Device Admin' access service even after I disable it. 
  I have to restart ACS service from CLI console to make it work. Is this a bug or am I missing anything. Please advise guys.
  Regards,
  Akshay

  Since the policy AKS is top in sequence under service selection rule so it should hit for sure. As you wrote that even after disabling the default device admin, then also request is hitting the same and restarting the ACS services resolved the issue. The symptoms of your issue are exactly same as stated in this defect.
  CSCuo93378    Certain browsers cause ACS database corruption
  Due to this issue we have seen cases where request hits the disable and default policies without any reason. Actually accessing ACS via chrome mess around with all the operators in conditions.
  The only workaround is to access all the rules and conditions in supported browser. Ensure all the operators are correct, save the changes and restart the ACS services.
  The issue seems to be fixed in ACS 5.5 patch 5
  Regards,
  Jatin

• ACS 5.4 AD Join strange Issue

  Hi,
  We have two ACS boxes with the same software version (5.4.0.46.0a), we were able to join domain one ACS only and other ACS is given the attached error.
  When we checked "main-acs-01/admin# acs troubleshoot adcheck <domain-name>, it gave the same error for both ACS, however one ACS successfully joined to the domain and still other one failed.
  main-acs-01/admin# acs troubleshoot adcheck <domain-name
  This command is only for advanced troubleshooting and may incur a lot of network traffic
  Do you want to continue?  (yes/no) yes
  OSCHK    : Verify that this is a supported OS                          : Pass
  PATCH    : Linux patch check                                           : Pass
  PERL     : Verify perl is present and is a good version                : Pass
  SAMBA    : Inspecting Samba installation                               : Pass
  SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
  HOSTNAME : Verify hostname setting                                     : Pass
  NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
  DNSPROBE : Probe DNS server 172.24.1.1                                 : Pass
  DNSPROBE : Probe DNS server 172.24.1.2                                 : Pass
  DNSCHECK : Analyze basic health of DNS servers                         : Pass
  WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
  SSH      : SSHD version and configuration                              : Note
           : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
  DOMNAME  : Check that the domain name is reasonable                    : Pass
  ADDC     : Find domain controllers in DNS                              : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                     : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed
           : Cannot resolve the IP address for xxxx.hmc.org.qa.
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                   : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                     : Warning
           : One or more ports failed to respond correctly. Either:
           :   a) the DC is offline
           :   b) a firewall is preventing access to a port
           : The following is a list of failed ports:
           :    ldap(389)/udp - timeout
           :    smb(445)/tcp - refused
           :    ldap(389)/tcp - refused
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                           : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass
  ADPORT   : Port scan of DC xxxx.<domain-name>                    : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                     : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed
           : Cannot resolve the IP address for airportdc1.<domain-name>.
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                   : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                     : Warning
           : One or more ports failed to respond correctly. Either:
           :   a) the GC is offline
           :   b) a firewall is preventing access to a port
           : The following is a list of failed ports:
           :    gc(3268)/tcp - refused
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass
  GCPORT   : Port scan of GC xxxx<domain-name>                           : Pass
  ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass
  GCPORT   : Port scan of GC xxxx.<domain-name>                    : Pass
  ADGC     : Check Global Catalog servers                                : Pass
  DCUP     : Check for operational DCs in <domain-name>                    : Pass
  SITEUP   : Check DCs for <domain-name>in our site                        : Pass
  DNSSYM   : Check DNS server symmetry                                   : Pass
  ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass
  GSITE    : See if we think this is the correct site                    : Pass
  TIME     : Check clock synchronization                                 : Pass
  2 serious issues were encountered during check. These must be fixed before proceeding
  2 warnings were encountered during check. We recommend checking these before proceeding
  main-acs-01/admin#
  Has any one face this issue before and appreciate if someone can advise how to fix this.

  This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4
  Since you're running ACS 5.4, it should not trigger.
  CSCtx53223    After upgrade ACS 5.3 fail to join AD domain - missing Centrify license
  Symptom:
  After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:
  Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express
  Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test
  Conditions:
  Upgrade from 5.2 to 5.3. Restart the services later on.
  Workaround:
  Backup the ACS db and re-image the box to 5.3
  How did you upgrade to ACS 5.4
  1.] Upgraded from 5.3 to 5.4 using upgrade package.
  2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.
  I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS 5.4 backup status in syslog

  Have raised a TAC for this but thought I'd post here too.
  We are running ACS v5.4 Patch 1.
  We have noticed that ACS will not produce syslog messages about scheduled backups (success or failure)
  (1)    From the GUI, under “System Administration >  Configuration >  Log Configuration >  Remote Log Targets”, we have configured a remote syslog host. 
  (2)    Then, each logging category under “System Administration > Configuration >  Log Configuration >  Logging Categories >  Global”, we have configured everything to log to the remote target.
  (3)    However, no messages regarding successful or failed backups ever arrive via syslog.
  Backup status can be checked by running “show backup history” from the CLI. 
  However, syslog communication between ACSView and ACS show backup status OK.
  You can find backup information in ACS View under:
  Monitoring & Reports >  Reports >  Catalog >  ACS Instance > ACS Operations Audit
  We have one quite simple requirement – that ACS produces syslog messages stating backup success and failure.  This will drive our alarm system.
  Has anyone else got this to work?
  Pretty simple request - backup success/failure in syslog messages!
  Forcing the output of ade.log to syslog would also do it.  Would rather not hack around under the covers with root patch though.
  Cheers!

  Hi Rob,
  I was going through your requirement and that seems to be an important notification. If we look at the ACS 5.4 guide > under logging categories. It does talk about ACS operational changes—Logs all operations  requested by administrators, including promoting an ACS from your  deployment as the primary, requesting a full replication, performing  software downloads, doing a backup or restore, generating and restoring  PACs, and so on.
  Administrative and operational audit log messages are always sent to the  local store, and you can also send them to remote syslog server and  Monitoring and Reports server targets.
  Log messages are sent to the local store with this syslog message format:
  time stamp sequence_num msg_code msg_sev msg_class msg_text attr=value
  Log target and logging categories.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/logging.html#wp1052656
  Since you've configured ACS logging categories to log everything. It should work fine. Can you see the same message success or failure under local store logs of ACS. If we can see it there it means ACS is sending it, after that we can check in the log forwarder file and run the packet capture on the syslog server.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**