Cisco ACS 4.2 Replication No Synchronization Partner
I have two ACS 4.2 configured as expected for replication but Primary ACS does not show any synchronization partner either on the left or right. The Secondary ACS does have synchronization partner listed. What could be the reason for this?
This has been resolved
Similar Messages
-
Hi Everyone,
I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24.
Connectivity between them is ok, same subnets. I register CiscoACS2 with CiscoACS1 and everything is working fine, including Active Directory. Both of these ACSes are used to authenticate my network devices.
Every time I use the webUI to log into the Secondary ACS (https://CiscoACS2), I can see that the CiscoACS2 is synced with CiscoACS1, the status is always "UPDATED"
However, if I webUI into the Primary ACS (https://CiscoACS1), I always see CiscoACS2 as "pending".
I've tried to do "full replication" and eventually it will show up as "UPDATED" but a few hours later, it will show up as "PENDING".
Anyone knows why? Is this a "bug"?
Thanks in advance.Hi,
If replication status on ACS1 GUI is showing pending then you know, full replication happens over the Sybase DB TCP port 2638, so your port need to be open in firewall. -
Problems witch acs 4.2 replication
i installed the primary and secondary server.
i see only one problem in the logs.
when i try to replicate
i get this :
cisco acs 01/04/2012 23:50:58 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:40:25 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:29:51 NTVMEM73 INFO Outbound replication cycle starting...01/04/2012 23:19:16 NTVMEM73 INFO
further no issue
can someone helps meHello,
There are still important files missing. Are both ACS servers configured for Full Detail of logging?
Also, are you selecting the following when collect the package?
There are still missing files on the package.cab file that I need. Please try again with the above settings.
Regards -
ACS internal database replication
I have setup ACS internal database replication and it works once then the secondary config is overwritten and doesn't contain the AAA server of the primary.
primary - 10.100.253.25
ACS 1113 running 4.2
secondary - 10.100.253.26
ACS 1113 running 4.2
Example of before and after
Before replication
The primary has these AAA servers listed under network components.
self - 127.0.0.1
acs2 - 10.100.253.26
The secondary has these AAA servers listed under network components.
self - 127.0.0.1
acs1 - 10.100.253.25
After replication
The primary has these AAA servers listed under network components.
self - 127.0.0.1
acs2 - 10.100.253.26
The secondary has these AAA servers listed under network components.
self - 127.0.0.1
acs2 - 10.100.253.26
therefore after the first replication subsequent attempts will fail because the secondary won't accept attempts from unknown AAA servers. Is this to be expected or can I mitigate it in someway?Please try setting the original ip address by using "Set ip" Command from the console connection of the ACS Solution engine. Once you successfully changed the ip address, you can apply the patch 11 or above (latest is patch 16) on the ACS SE (This will fix the problem).
In majority of cases set ip command fails but sometime works too.
In case it doesn't help then we have 2 options:
1.] Open a TAC case, send the database file to delete the entry.
2.] If you are not intrested sending your database then try the below listed steps:
In order to remove the loopback entry from the Database, we need to follow following steps,
Please download ACS 4.2 trial from following link, if you do not have ACS Full version for Windows purchased.
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval- eval-ACS-4.2.0.124-SW.zip
[1] Install eval version on Windows 2000/2003 server. Please also ensure that JAVA is installed on that server.
[2] Take a backup from ACS SE from, System Configuration > ACS Backup >Backup Now.
[3] Restore the database backup on ACS eval.
[4] On eval ACS , go to Network Configuration > find the AAA Server entry with 127.0.0.1 entry. Edit it and give it some other IP for
example, 1.1.1.1. Submit + Apply.
[5] On eval, Restart CSAdmin service.
[6] On eval, go back to Network Configuration and search for the changed IP address and delete that entry, Delete + Apply.
[7] Take a backup from eval ACS, System Configuration > ACS Backup > Backup Now.
[8] Restore the database backup from eval ACS into ACS SE from option, System Configuration > ACS Restore, choose the database backup. Check Check option "User and Group Database" and "CiscoSecure ACS System Configuration", then press Restore Now.
[9] On ACS SE, go to Network Configuration, make sure that 127.0.0.1 entry is not there and for ACS SE's hostname we have the correct IP address. Go to Proxy Distribution Table > (Default). Move the server’s hostname entry that has correct IP for this ACS SE into "Forward To" column, if not already. Then press "Submit + Restart".
Reference defect, CSCso36620 - Toggle nic command changes AAA server ip address to "127.0.0.1" in GUI.
Regards,
Jatin
Do rate helpful posts- -
Migrating a Cisco ACS Database
Hi,
Can there be any potential problems, if we want to migrate an existing Cisco ACS Database to a different physical Server (Keeping the same IP information etc) ?
We were running Cisco ACS evaluation version for Cisco NAC (CTA) and now want to make it production while moving it to a different server.
Regards \\ NamanHi,
I'm not an expert for the ACS but when you look into System configuration you will find the feature 'Database Replication'. With an eval version you should be able to test this feature.
Cheers, -
Hi
I would like to know best ways for tuning Cisco ACS database. Now the database size has grown up and causing performance problems. We are running Cisco ACS 4.2 on Windows server 2003 R3. SP2
What is the best possible way to tune Cisco ACS performance.
What is the best possible design consideration in deploying 6 ACS servers and in replicating mode? Can i use one database for all the 6 ACS servers. Is this feasible?
Any docs which talks about all these would be helpful.
Thanks in advance.
SKHi there,
About the database size growing issue, I have seen issue similar in the past and could be related to the Service Control option, make sure it's configured Low. This option is located under System Configuration.
Regards the replication issue, in the past I have seen even 7 servers in cascade replicating fine, although depending on different factors like distance, devices in between, amount of data, etc. The replication may flow may get affected. I am not sure which will be your requierements but using one server to replicate the information to the other units is a good option, I prefer this one than cascade replication. -
Cisco ACS 1121 server configuration
Hi,
Anyone can tell me how to configure LAN teaming in Cisco ACS 1121. My requirement is to have virtual IP in the server with two physical IPs in the available 2 interface in the server.
Regards,
Haja Shajahan.MCurrently Gig 0 is supported. Gig 1 is blocked. Check this link ((Blocked) Gigabit Ethernet 1).
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_hw_ins.html#wp1119105
Paps -
Hi
I have at present a Cisco ACS server 3.3. I want to upgrade the server to latest version and also cluster it with another one so that we could have a redundant infrastructure as if one fails the other one takes over ..
CAn you provide a suitable solution for this ?
ThanksHi,
The Latest version is ACS 4.1. You can upgrade from 3.3.3 build 11 directly to 4.1.
Then you can install another ACS 4.1 on different machine and setup replication between these two. This way you will have to make changes only on one ACS and the secondary will automatically get updated.
Once these two are set, you can define both of these server as Radius/Tacacs server on the devices and there would be a redundancy.
Regards,
Vivek -
Cisco ACS Server . Download Evaluation Version For Testing.
Hello.
I want to try to install ACS server for windows to check how this is working with Microsoft AD. Does anyone know where i can download an evaluation version of Cisco ACS Server for Windows ?Hello Michael-
The ACS version for Windows is no longer available. The product is EOL/EOS:
http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-server-windows/end_of_life_notice_c51-664639.html
The product was replaced with a Linux based version (5.x) and it is a lot easier of a product to install and manage.
If you want to evaluate the product I would recommend that you contact your local Cisco partner:
https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
Thank you for rating helpful posts! -
AIRONET 1260 with new radius cisco ACS 4.x
Hi, I have a new CISCO AIRONET 1260
I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication
As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET
I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access
I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD
I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x
To troubleshout it I tried
http://www.cisco.com/en/US/partner/tech/tk722/tk720/technologies_configuration_example09186a00807bf3c8.shtml
but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes
I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this:
https://supportforums.cisco.com/docs/DOC-3991
Changed shared secret more times but ever not workign with ACS 4
what's wrong?
I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user databaseI have solved
-
Cisco ACS Engine appliance 1120 software upgrade
I want to upgrade my Cisco ACS Engine appliance 1120 from software version 3.3 to the latest version (5.x). How do I go about this? Someone should help please.
It is highly suspicious that you would have a 1120 appliance that is running 3.3
ACS 3.3 was with the ACS solution engine 1111, 1112 and 1113.
ACS 5 requires the appliance 1120/1121 so it requires an appliance change. I'm puzzled about how you could be running 3.3 for 1120 since there is no installation DVD for that.
As a general thing, one has to follow the ACS 5 migration guide on cisco.com that explains the process quite well. You need to go to acs 4.1/4.2 to migrate to 5.
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/migrate.html
Nicolas -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
hi,
I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
Any ideas?here is some debug from the router:
Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
Feb 24 12:28:58.989 UTC: T+: user: vpntest
Feb 24 12:28:58.989 UTC: T+: port:
Feb 24 12:28:58.989 UTC: T+: rem_addr:
Feb 24 12:28:58.989 UTC: T+: data:
Feb 24 12:28:58.989 UTC: T+: End Packet
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Feb 24 12:28:59.009 UTC: T+: msg: Password:
Feb 24 12:28:59.009 UTC: T+: data:
Feb 24 12:28:59.009 UTC: T+: End Packet
s9990-cr#
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
In the VPN Client log it say "User does not provide any authentication data"
So to summarise:
-Same ACS server\router\username combination works fine for telnet access.
-VPN works fine with local authentication.
-No login failures showing in the ACS logs. -
Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3
does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
ciscoISE/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
ciscoISE/admin(config)# snmp-server
Ciscoacs/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
Ciscoacs/admin(config)# snmp-serverNo support SNMP v3 on ISE v1.2 and 1.3 except for profilling
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30 -
Linksys WAP54G connecting to CISCO ACS via LEAP
I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
Connection scenario:-
Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
Pls advise if such setting is feasible.
TksThis is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
Bruce Alexander, Cisco
Maybe you are looking for
-
Satellite X200-21F: Nvidia geforce 8600m GT shows only 256MB
High everyone, thanks for reading this thread. I bought an Sat x200-21F. So the problem is that the dedicated memory on my geforce 8600m GT is supposed to be 512MB, but it only shows 256MB. I activated the sli mode, but it still only shows 256MB of d
-
Do I need to do anything else from US so that I can use it without any glitches in India?Please help out.My first experience with an apple.
-
Hi there....on my iMac, suddenly I'm only getting audio out from the headphone jack at the back (which goes into my JBL Creature II's) on the RIGHT hand side. it does seem that suddenly the output jack socket has become defective....anyone else had t
-
How do you do this effect on after effects?
I want to animate a video making so as to make it look like a painting is painting itself in front of our eyes. Take for example this picture Starting from a white image, do you know a way, with after effects, to make it look as if an invisible brush
-
HT201303 Apple ID says my security answers are incorrect
I received an email saying that my Apple ID information had been changed, so I went in to my account and saw that there was a different credit card number and expiration date, as well as a different city and state attached to my street address. I im