ACS vlan assignments fail

Similar Messages

• Dynamic VLAN assignments with ACS

  Hello all.
  I am trying to do dynamic vlan assignments with dot1x auth.  I am using ACS5.3 and Cisco 3560.
  I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
  aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
  When the user connects I get the following via debug:
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
  Any idea what config I'm missing?
  Thanks
  Paul

  Hello.
  Here is whats left in the log.
  Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.253: EAPOL pak dump rx
  Apr 30 15:19:36.253: EAPOL Version: 0x1  type: 0x0  length: 0x007B
  Apr 30 15:19:36.253: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.007b
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.278: EAPOL pak dump rx
  Apr 30 15:19:36.278: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.278: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.294: EAPOL pak dump rx
  Apr 30 15:19:36.294: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.294: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
  Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
  Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Hope that helps

• FlexConnect, EAP-TLS and dynamic VLAN assignments

  I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
  I have some questions:
  - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
  - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
  - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
  Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

  I'll give this a shot:)
  For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
  The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
  64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
  You can find this by searching on Google.... A lot of examples out there
  v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
  Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
  FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
  Hope this helps.
  Sent from Cisco Technical Support iPhone App

• 802.1x Machine and User Auth Vlan assignments

  I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
  Here is how it's working now:
  1. Machine authenticates to ACS and assigned to a Vlan
  2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
  So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
  So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

  By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
  As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
  Note: A good way to troubleshoot this is to notice it in action via show command:
  Here's an example of what you should see on a switch port.
  AuthSM State = State of the 802.1X Authenticator PAE state machine
  VALUES:
  AUTHENTICATED -- Auth Succeeded
  AUTHENTICATING -- Auth is attempting
  CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
  HELD -- Auth probably failed.
  BendSM State = State of the 802.1X back-end authentication state machine
  VALUES:
  IDLE -- Nothing is happening.
  REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
  RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
  NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
  Hope this helps,

• Patch rollup for Cisco Secure ACS 4.2 fails.

  I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations.  I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches.  The application begins running fine but fails on upgrading the database and then none of the ACS services would start.  I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again.  What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
  Thanks

  Thanks for the feedback.  I attempted the patch rollup install again and it failed in the same place - on the database upgrade.  I did think of one thing.  Do I need to have my antivirus/protection services disabled prior to installing the rollup?
  Also my versions are as follows:
  Server OS - Windows Server 2003 R2
  Cisco Secure ACS - 4.2.(0) Build 124
  Thanks,
  Richard Jaehne

• ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect

  We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
  Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
  When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
  Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
  Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
  An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
  Any help to qwell my frustration on this topic would be appreciated.
  Thanks,
  -Scott

  Scott,
  If disabling the inspection of the skinny protocol is not feasible, the following
  configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
  In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
  #Define what traffic you want inspected:
  access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
  access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
  access-list skinny_acl extended permit tcp any any eq 2000
  #Create a class map to match the acl
  class-map skinny_map
  match access-list skinny_acl
  #Under the global policy, take the skinny inspection out of the
  #class inspection_default, and add it under our new class
  policy-map global_policy
  class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  class skinny_map
  inspect skinny
  service-policy global_policy global
  ###Will be inspected for skinny###
  FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
  Global policy:
  Service-policy: global_policy
  Class-map: skinny_map
  Match: access-list skinny_acl
  Access rule: permit tcp any any eq 2000
  Action:
  Input flow: inspect skinny
  FWSM(config-pmap-c)#
  ###Will not be inspected for skinny###
  FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
  Global policy:
  Service-policy: global_policy
  FWSM(config-pmap-c)#
  Regards,
  ~JG
  Please rate if helps !

• ACS Machine Authentication Fails Every 30 Days

  Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
  TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
  Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem

  So it looks like this is the offical Microsoft answer:
  Hello Tom,
  I had a discussion with an escalation resource on this case and updated him on what we found so far, From what  I understand this is a known issue when the client is using PEAP with computer authentication only  and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
  Regards
  Krishna

• Secondary ACS 5.1 fails to Deregister, after IP change on Primary

  IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
  Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload  -
     apparently because it cannot reach the Primary at its old IP address. 
  Requesting Deregister in GUI generates pop-up that says,  "This operation will deregister this ACS Instance from the Primary Instance.
       Management applications on this ACS instance will be restarted and you will be required to login again.  After performing this operation
       please wait five minutes for this restart to complete.
       Do you wish to contine?"      [ OK ]
  But, checking back after 10 minutes -- or even the next day  --  finds the Secondary's status unchanged.
  Also tried Local Mode, Deregister from Primary;  this also fails.
  Does anyone have HOWTO URL on a total rebuild of ACS application?  
  Both ACS are CACS-1121-K9   running 5.1.0.44.4.
  Thanks in advance for any help...
  ***  UPDATE:  ***
  Recommended command,  "application reset-config acs",    was _exactly_ what was needed. 
  jrabinow  -   many thanks!    :-)
      also, thank you for mentioning that the license would be required, so that I could locate it in advance and have it ready.
        Since there were no local certs on the server, we did not need to re-install those.

  Since this is a secondary it should not have too much in terms of specific configuration
  Therefore one possibility is to reset the configuration so it once again becomes just a standalone node and then regsiter back to the deployment as is done for any new node and as you previosuly registered it
  reset configuration can be done using the following command at the CLI:
  application reset-config acs
  Note that after you reset the configuration you will need to reinstall the license so make sure you have this to hand
  Also if you has installed a server certificate for the secondary server you would need that too

• CiscoWorks: VLAN creation failed via CM-VLAN Configuration

  Hi,
  I have trying to create VLAN on single switch via CM-VLAN Configuration and getting below message, although switch is configured with correct snmp and I can backup same device via RME and also delopy config to it via Netconfig.
  Please advice. Thanks
  I am using LMS 3.2.1; CM 5.2.2; RME 4.3.2
  Creation of VLAN failed
  "There were some errors during operation."
  Failed to perform the operation on 10.*.*.* Cause:An error occured while performing SNMP operation.
  Action:Examine and save the server log file and report the error to the product administrator for further action.

  The credentials can be changed under Common Services > Device and Credentials > Device Management.  Select the devices and click the Edit Credentials button.  Fill in the correct username and password for these devices.

• Service-policy on Vlan interface failed

  Hi, All!
  This is my configuration:
  class-map match-any voip_control_trust-CMAP
  match ip dscp cs3
  match ip dscp af31
  class-map match-any voip_rtp_trust-CMAP
  match ip dscp ef
  class-map match-any internetwork-cntrl-CMAP
  match ip dscp cs6
  policy-map output_qos-PMAP
  class voip_rtp_trust-CMAP
    priority 56
  class voip_control_trust-CMAP
    bandwidth percent 2
  class internetwork-cntrl-CMAP
    bandwidth percent 5
  class class-default
    fair-queue
    random-detect
  cisco(config)#int Vlan 2
  cisco(config-if)#service-policy output output_qos-PMAP
  Configuration failed!
  It was tested on 877, 871, 871W, 877W with ios c870-advipservicesk9-mz.124-15.T5.bin, c870-advipservicesk9-mz.124-15.T8.bin, c870-advipservicesk9-mz.124-15.T10.bin, c870-advipservicesk9-mz.124-15.T11.bin, c870-advipservicesk9-mz.124-24.T2.bin
  Strange error. Does anybody know what's the problem?

  Ok, i tried to make workaround solution:
  policy-map OUTPUT_QOS_PMAP
  class VOIP_RTP_TRUST_CMAP
      priority 56
  class VOIP_CTRL_TRUST_CMAP
      bandwidth percent 2
  class INETWORK-CTRL-CMAP
      bandwidth percent 5
  class class-default
      fair-queue
       random-detect
    service-policy OUTPUT_QOS_PMAP
  service-policy output OUTPUT_QOS_PMAP
  interface Vlan2
  description *** WAN SVI ***
  bandwidth 256
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  bridge-group 1
  end
  interface BVI1
  description *** WAN BVI ***
  bandwidth 256
  ip address 10.96.0.57 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  service-policy output OUTPUT_QOS_PMAP
  end
  sh policy-map interface
  BVI1
    Service-policy output: OUTPUT_QOS_PMAP
      queue stats for all priority classes:
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 0/0
      Class-map: VOIP_RTP_TRUST_CMAP (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: ip dscp ef (46)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Priority: 56 kbps, burst bytes 1500, b/w exceed drops: 0
      Class-map: VOIP_CTRL_TRUST_CMAP (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: ip dscp cs3 (24)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Match: ip dscp af31 (26)
          0 packets, 0 bytes
          5 minute rate 0 bps
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 0/0
        bandwidth 2% (5 kbps)
      Class-map: INETWORK-CTRL-CMAP (match-any)
        6 packets, 896 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: ip dscp cs6 (48)
          6 packets, 896 bytes
          5 minute rate 0 bps
        Match: access-group name IKE
          0 packets, 0 bytes
          5 minute rate 0 bps
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 5/0/0
        (pkts output/bytes output) 6/1120
        bandwidth 5% (12 kbps)
      Class-map: class-default (match-any)
        11 packets, 660 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops/flowdrops) 10/0/0/0
        (pkts output/bytes output) 11/660
        Fair-queue: per-flow queue limit 16
          Exp-weight-constant: 9 (1/512)
          Mean queue depth: 0 packets
          class     Transmitted       Random drop      Tail/Flow drop Minimum Maximum Mark
                    pkts/bytes    pkts/bytes       pkts/bytes    thresh  thresh  prob
          0              11/660             0/0              0/0                 20            40  1/10
          1               0/0               0/0              0/0                 22            40  1/10
          2               0/0               0/0              0/0                 24            40  1/10
          3               0/0               0/0              0/0                 26            40  1/10
          4               0/0               0/0              0/0                 28            40  1/10
          5               0/0               0/0              0/0                 30            40  1/10
          6               0/0               0/0              0/0                 32            40  1/10
          7               0/0               0/0              0/0                 34            40  1/10
  BUT! Until service-policy is on interface works nothing.
  sh int bvi1
  BVI1 is up, line protocol is up
    Hardware is BVI, address is 0025.454a.940d (bia 0024.c495.6780)
    Description: *** WAN BVI ***
    Internet address is 10.96.0.57/24
    MTU 1500 bytes, BW 256 Kbit/sec, DLY 5000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 74
    Queueing strategy: Class-based queueing
    Output queue: 33/1000/0 (size/max total/drops)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       114 packets output, 11034 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  ping 10.96.0.1 source bvi1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.96.0.1, timeout is 2 seconds:
  Packet sent with a source address of 10.96.0.57
  Success rate is 0 percent (0/5)

• Vlan.dat Failed retrival

  Hello,
  I have seen the various posting regarding how LMS copies vlan.dat : ie over tftp.
  I have verified login credentials over SNMP and SSH and these come back Ok however I still get :
  VLAN
  CM0151 VLAN RUNNING Config fetch failed for <switch> Cause: Command  failed
  VLAN Config fetch is not supported using TFTP.
  TELNET: Failed to establish TELNET connection to 10..x.x.x -  Cause: Connection refused.
  Action: Check if protocol is supported by device and required device  package is installed. Check device credentials. Increase timeout value, if  required.
  So can someone please answer why it it saying it is trying over telnet when it is configured to do it over ssh?

  Telnet was tried because the retrieval over SSH failed.  The way vlan.dat is archived is RME will login to the device via SSH or telnet, then issue a "copy flash:vlan.dat tftp:" command.  This means that TFTP must be allowed from the device to the RME server.  Make sure this copy command can be executed manually.

• ACS Expert troubleshooter fails to display existing log entry

  Hello everybody,
  II ran into the following issue – let say RADIUS log (today) displays there are entries for user ABC (both successful and unsuccessful). BUT – when use the 'expert troubleshooter' to search for exactly the same user (both pass or fail authentication), the search results comes out empty.
  This happens for all log entries (=users) and on different computers on different browsers. ACS version is 5.4 (upgraded to different patches to no avail).
  Anybody experienced that? An existing bug notice will also be appreciated.

  Yet, I have not seen any bug for this: You please have a look on the guide to understand the functionally of Expert Troubleshooter:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/viewer_troubleshooting.html#wp1057685

• Uninstall ACS 4.2 fail

  I upgrade ACS from 4.1.4  to 4.2. I need to downgrade back to 4.1.4 without reinstalling W2003 server! But when I remove 4.2 I could not reinstall 4.1.4 because of "4.1.4 must be installed only on top of 4.1.1.x or 4.1.3.x". Using Clean.exe utility does not solve it. Cleaning registry does not solve it. I tried to watch "what was going behind" (find relevant lock file or register) using programs like FileMon anf RegMon, but without success. Thanks for any help in advance. RJ

  Hello,
       If you have the ACS 4.2 CD there is a support folder -> clean -> clean.exe.  If you run this utility it will completely remove ACS from your system.  If you do not have the ACS 4.2 CD please open a TAC case if you have a contract and we can provide the media for you.  The clean utiltity if version specific so you will need to 4.2 CD to remove the 4.2 install.
  --Jesse

• Concerning OTV and VLAN Assignments

  I've been looking around but can't find any specific information...
  When configuring OTV between data centers, is it required/advisable/best practice to have the VLANs that you need to extend from one DC to another have the same VLAN ID? Does that matter?
  For example, VLAN 10 in New York DC is the 172.31.12.0/23 network. I want to extend the 172.31.12.0/23 network to the Los Angeles DC. Does the VLAN ID in the LA DC need to be VLAN 10 or can I use any VLAN ID in this case?
  Thanks!

  Hi Clay,
  In my opinion it would be best practice to have the same VLAN numbering across the data centres you're extending VLANs, purely to keep things simple. Obviously if you translate from one VLAN number to another it will add some complexity and so complicate troubleshooting to some extent.
  As far as whether having the same IP subnet assigned to different VLAN numbers is possible, I'm afraid you can't do this today. As of November 2012 Cisco were saying support for OTV VLAN translation would be available in the Nexus 7000 NX-OS 6.2 release. If you have Cisco Partner level access you can see the Nexus 7000 Roadmap Update presentation where this is discussed (see slide 11).
  Regards

• ACS migration tool fails

  Hi, running the migration tool, I receive the following request:
  Make sure that the database is running.
  ACS 4.x DB is not available, Enter ACS 4.x database password(Encrypted Password)
  With the plain database password, used during the ACS installation,  I receive a fatal error message at the end of the procedure like this: "Fatal Error !! - cannot connect to ACS 4.x DB !!"
  Where can I find the ACS encrypted database password ?
  Following the migration log:
  10-07-2011 11:41:31 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle
  10-07-2011 11:46:52 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle
  10-07-2011 11:58:08 JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN - Unable to find required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.
  10-07-2011 11:58:28 ACS4Connector.checkDBConnectivity(ACS4Connector.java:137)FATAL -  Fatal Error !! - cannot connect to ACS 4.x DB !!
  java.sql.SQLException: [Sybase][ODBC Driver][Adaptive Server Anywhere]Invalid user ID or password
  at ianywhere.ml.jdbcodbc.IDriver.makeODBCConnection(Native Method)
  at ianywhere.ml.jdbcodbc.IDriver.connect(IDriver.java:354)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.getConnecter(ACS4Connector.java:66)
  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.checkDBConnectivity(ACS4Connector.java:133)
  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.runExport(MigrationApplicationCLI.java:605)
  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.main(MigrationApplicationCLI.java:266)
  I'm running the migration tool on a clone VMware machine, from the console.
  thank you in advance

  Hello, i have the same issue, migration utility can get acs4.x database password, entering the correct password does not change the errror message: "05-07-2014 16:19:41 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle"
  It seems that there is somewhere in the scripts a coded path to "C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c"
  tried to search within the files in the migration utility directory, but no success.
  Does anybody know the answer?
  regards
  Thomas