Cisco ACS 5.3 patch 8 OPT Volume

Hello,
We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.
The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.
In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.
This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.
Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.
The questions I have is:
At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.
We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.
Thanks,

In distributed setup, its recommended to configure a dedicated  secondary server as a log collector. However you've a large deployment  so I'm sure authentication rate would be high too causing view-database  size keep on increasing.
In order to prevent running out of disk space we need  to manage it. That means identifying the files that are created and  written to by  processes on the system, allocating a space budget to  them such that if  the files stay within their budget all services can  be supported without  interruption, and then defining and implementing  facilities to keep  those files within their budget.
There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
1. Purge: In this mechanism the data will be purged based  on the  configured data retention period or upon reaching the upper  limit of the  database.  In Patch 6 new option provided to do on demand  purge as  well.
2. Compress: This mechanism frees up  unused space in the  database without deleting any records. Before the  compress option could  only be run manually.  In ACS 5.3 Patch 6 there  are enhancements so it  will run daily at a predefined time, automatically when specific  criteria are met.
At what percentage size for the OPT volume should we be  concerned before it starts impacting the performance of the Log  Collector?
TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.
Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
- Please use System Administration >  Configuration > Log  Configuration >  Logging Categories >  Global To configure sending  only the required logs to the ACS View log-collector.
- Provide the fresh screenshot of the page Monitoring   Configuration > System Operations > Data Management > Removal   and Backup.
- With the below listed command you can check the actual and physical size of the MnT database
     acs-config
     Username: acsadmin
     Password: ***********
     acsview show-dbsize
There are few known defects on the same issue. However, the version you're running improves database management processes.
CSCto47203: ACS 5 runs out of disk space
CSCua51804: View backup fails   even when there is space in disk
Jatin Katyal
- Do rate helpful posts -

Similar Messages

  • Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

    does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
    ciscoISE/admin(config)# snmp-server ?
      community  Set community string
      contact    Text for mib object sysContact
      host       Specify hosts to receive SNMP notifications
      location   Text for mib object sysLocation
    ciscoISE/admin(config)# snmp-server
    Ciscoacs/admin(config)# snmp-server ?
      community  Set community string
      contact    Text for mib object sysContact
      host       Specify hosts to receive SNMP notifications
      location   Text for mib object sysLocation
    Ciscoacs/admin(config)# snmp-server

    No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
     http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

  • Cisco ACS 5.4 patch 6

    Hi Everyone,
    I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24.
    Connectivity between them is ok, same subnets.  I register CiscoACS2 with CiscoACS1 and everything is working fine, including Active Directory.  Both of these ACSes are used to authenticate my network devices.
    Every time I use the webUI to log into the Secondary ACS (https://CiscoACS2), I can see that the CiscoACS2 is synced with CiscoACS1, the status is always "UPDATED"
    However, if I webUI into the Primary ACS (https://CiscoACS1), I always see CiscoACS2 as "pending". 
    I've tried to do "full replication" and eventually it will show up as "UPDATED" but a few hours later, it will show up as "PENDING".
    Anyone knows why?  Is this a "bug"?
    Thanks in advance.

    Hi,
    If replication status on ACS1 GUI is showing pending then you know, full replication happens over the Sybase DB TCP port 2638, so your port need to be open in firewall.

  • Cisco ACS version 4.2 patch update

    Dear All,
    I am using cisco ACS version 4.2 (0) Build 124 and i would like to upgrade it with latest patch .Can anyone provide me the step by step procedure for the upgrade through serial console or through GUI.
    It would be also appreciate if if you could provide me the exact link / patch for 4.2(0) release.
    Regards..

    Ciscoworks can use various mechanisms to discover the devices on your network.
    The network administrator can discover the devices using different protocols, such as Cisco Discovery Protocol, BGP, OSPF, Address Resolution Protocol (ARP), HSRP, cluster, routing table, and ping sweep on IP range, that are activated at different layers of the Open Systems Interconnection (OSI) model in the device.
    It has a benefit when the devices on the network will not be better responsive to any other modules of Discovery.
    Usually other module learn IP of the neigbour device with their data, like asking CDP neighbour details or OSPF Table. Whereas in Ping Sweep LMS will simply continue to check devices based on the IP Range.
    Example, if you selected Ping Sweep On IP Range, you can specify the seed device as 10.77.209.209 and the subnet mask as 255.255.255.240. Entering a smaller subnet mask value may result in a longer discovery cycle, as discovery has to sweep IP addresses from more networks. It is recommended to enter a Class C mask instead of a Class A or B mask.
    So using Ping Sweep helps you find your devices faster of it is failry simple network with simple range of IP's on devices, may be on a single subnet.
    More details on How Ping Sweep Algorithm Works technically behind, in LMS, is available here:
    https://supportforums.cisco.com/docs/DOC-9005#Ping_Sweep_On_IP_Range
    This document describes, in depth about all modules used in LMS Device Discovery.
    Hope it will be helpful to understand.
    -Thanks
    Vinod
    **Rating Encourages contributors, and its really free. **

  • Cisco ACS 5.4.0.46.6 - Cannot join to domain

    I am not able to join Cisco ACS to domain.  I get the error "wrong domain".  Nslookup resolves the domain correctly.  ACS troubleshoot adcheck shows the below error
    ADGC     : Check Global Catalog servers
                   : There is no GC in site "INGUA"
                   : It is recommended that a GC exist in each site.
    Checked with AD team and they confirm that GC does exist at this site. It is a Windows 2008 R2.  I am able to telnet to the required ports from the ACS console.  Tried applying the latest patch.  Tried re-imaging the ACS server.  Still the issue remains.  Any help appreciated.
    Cisco Application Deployment Engine OS Release: 2.0
    ADE-OS Build Version: 2.0.3.063
    ADE-OS System Architecture: i386
    Copyright (c) 2005-2011 by Cisco Systems, Inc.
    All rights reserved.
    Hostname: ZINGUA6001
    Version information of installed applications
    Cisco ACS VERSION INFORMATION
    Version : 5.4.0.46.6
    Internal Build ID : B.221
    Patches :
    5-4-0-46-6

    Hi Minakshi,
    I perform the update before your post and I test without deregister all server.
    So far, all was good.
    I had no issue and the update tooks me very less time without following the full UPGRADE procedure.
    The command had also a rollback for the update, so I take the risk.
    This is certainly not the case for upgrade but update seems to easier.
    Kind regards.
    Steve

  • [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

    Hi,
    I got many Cisco AP which are linked to 2 Cisco WLC.
    On each WLC, I configured a primary and a secondary RADIUS Server.
    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
    Primary and secondary ACS configurations are synchronized.
    There are no problem between primary WLC and Cisco ACS (primary and secondary).
    When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
    Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
    Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
    The two Cisco ACS are synchronized so I should have same error on them...
    Why does primary ACS generate this error?
    Thanks for your help,
    Patrick

    Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
    *Please rate helpful posts*
    Yes. That is a good point.
    With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
    The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
    Rating useful replies is more useful than saying "Thank you"

  • Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

    Hi,
    I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
    3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
    Please, give me some advice.
    Thanks in advance,
    Mladen

    Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
    3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
    I refer to
    "Implementing Network Admission Control Phase One Configuration and Deployment";
    "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
    Thanks in advance,
    Mladen

  • Windows Update for Cisco ACS appliance

    Due to the recent security alert from Windows I wish to make sure my systems are updated, but the cisco ACS appiance (cisco 1113) runs a specialized version of win2k with console access disabled. Is there any way get the windows critical security updates, and do I need to?

    If the patch is necessary on acs appliance then they will be releasing it soon.
    As of now we can't apply any windows patch on appliance.

  • Vulnerabilities in Cisco ACS

    Hi,
    I've red that there are some vulnerabilitied in Cisco ACS.
    The advisory is that: cisco-sa-20070105-csacs
    I have two installation of CiscoSecure ACS Release 3.3(3) Build 11.
    One is ok while the second installation, few days ago, noticed me a crash in CSADmin.
    Meanwhile I was trying to revolve this problem, there was a problem with the server's disk so now the server is off.
    Anyone could tell me if it is possibile that there is a relationship between crash and the problems in advisory.
    Is always recomandable to install the patch in the advisory?
    Thanks in advance
    Antonio

    Antonio,
    We need to look at the CSAdmin log to see if the service crashed due to the problem mentioned in the advisory. But it is highly unlikely that the disk could have crashed because of any ACS Service.
    It is recomended to patch up the vulnerability. You will need to mov eup to 3.3.4

  • Cisco acs "manifest file not found" help

    srvacs01/admin# application upgrade ACS_5.5.0.46.tar.gz WCS
    Do you want to save the current configuration ? (yes/no) [yes] ? no
    6 [27522]: transfer: cars_xfer.c[54] [admin]: ftp copy in of ACS_5.5.0.46.tar.gz requested
    7 [27522]: transfer: cars_xfer_util.c[89] [admin]: ftp get source - ACS_5.5.0.46.tar.gz
    7 [27522]: transfer: cars_xfer_util.c[90] [admin]: ftp get destination - /storeddata/Installing/.1413207431/ACS_5.5.0.46.tar.gz
    7 [27522]: transfer: cars_xfer_util.c[109] [admin]: initializing curl
    7 [27522]: transfer: cars_xfer_util.c[122] [admin]: full url is ftp://10.222.15.196/acs5/ACS_5.5.0.46.tar.gz
    % Manifest file not found in the bundle
    srvacs01/admin#
    Cisco Application Deployment Engine OS Release: 1.2
    ADE-OS Build Version: 1.2.0.228
    ADE-OS System Architecture: i386
    Copyright (c) 2005-2009 by Cisco Systems, Inc.
    All rights reserved.
    Hostname: srvacs01
    Version information of installed applications
    Cisco ACS VERSION INFORMATION
    Version : 5.3.0.40.40
    Internal Build ID : B.839
    Patches :
    5-3-0-40-7
    5-3-0-40-9
    Pointed-PreUpgrade-CSCum04132-5-3-0-40

    Problem: "Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle" on ACS appliance during appliance upgrade
    The Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle error appears when an attempt is made to upgrade ACS Express
    Solution
    Complete these steps in order to upgrade the ACS appliance without any issue:
    Download patch 9 (5-0-0-21-9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg ) from: Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > 5.0.0.21
    After you install the two files, install the ACS 5.1 upgrade ACS_5.1.0.44.tar.gz. This is available from the same path from previous step.
    Use this command in order to install the upgrade:
    application upgrade <application-bundle> remote-repository-name
    This completes the upgrade procedure.
    Refer to Upgrading an ACS Server from 5.0 to 5.1 for more information on how to upgrade the ACS appliance.
    please refer the upgrading acs server 5.4 to 5.5, for complete process.

  • ACS 5.0 Patches

    Hi all,
    is there any patches available for ACS 5.0 system 90 day eval?
    I'm evaluating ACS on vmware platform.
    The 5-0-0-21-6.tar.tar patch doesn't seem to be a valid file to do it.
    The readme file talk about a .gpg file but the patch i've downloaded is a .tar fiel and it is impossible to untar it.

    Yes , thanks,
    But that's not my question.
    What i said is that the patch file available on cisco site seem not to be useful to load and run in the "ACS 5.0 features an improved, centralized management of software updates ".
    I mean, i've searched for the patch file, stored on my pc, activated a tftp server and tried to run the patch from the GUI of the ACS, it stand still in upgrading phase for a long time and nothing happened.
    In ACS gui the patch file is named .gpg but on cisco site no gpg file exist!!
    So , what is the right file to do upgrade?

  • Cisco ACS 4.2 Internal Error

    Good Evening. I have problem with ACS 4.2 and AD, on autification on PC i have an internal error. In RDS.log i have that line:
    Error UDB_NT_UNKNOWN_ERR authenticating (DOMAIN)\(USERNAME) - no response sent to NAS
    I already checked physhic layer problems, switch configured dot1x, ciscosecure remote agent installed.

    Hello,
    Is the Auth.log file also reporting "Windows authentication FAILED (error 6L)" for the same RDS timestamps/failure?
    Also, which ACS version (Include Patch) are you using? Are you authenticating against Windows Server 2003 or 2008 or 2008 R2 AD?
    NOTE: Remember that 2008 R2 AD is not supported by any ACS 4.x version.
    Also verify that you have complied with the following requirements:
    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp311476
    Verify which one applies for you as there are two options: Windows Member Server or Windows Domain Controller.
    Regards.

  • CIsco ACS 90 Days Trial

    Hello,
    I've been looking for the 90 day trial version of the Cisco ACS on Cisco.com. I've been able to find the trial for ACS 3.0 however is there a newer version above 4.0 for Windows available for download. All I could find is patches and upgrades however there is no full software available for download.
    Regards,
    Imran.

    Hi Imran,
    If you would like to have full software download for ACS windows, then please open up TAC case and we will publish files for you as only patches are available on cisco website.
    Thanks,
    Shilpa

  • Cisco ACS 5.2 (esx 4 vm) and Monitoring and Reports failure

    I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
    I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
    I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
    In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
    This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
    I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
    Can anyone provide any help on this?

    I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
    I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
    I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
    In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
    This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
    I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
    Can anyone provide any help on this?

  • Cisco ACS 5.4 Eval on Vmware Workstation demo

    I have a project to review CISCO ACS v5.4 for my client, not having a real ESxi server i opted using workstation.
    I have the vm built using 150gb file and am able to run the setup for domain and ip addressing as well as firewall settings and services.
    using a c2811 for ntp source and routing to other laptops in my lab.
    I am unable to web into the acs server to access anything
    Can someone please point me in the right direction on what I am missing besides an actual ESXi server.
    Regards,

    Followed this thread and I think i have it, its in process and hopefully i can get it going.
    https://supportforums.cisco.com/message/3714114#3714114

Maybe you are looking for

  • Vendor Report details

    Dear all           Kindly let me know how to find out the vendor code creation date in SAp As we have 60 to 70 company code we do not want the Vendor Extension details, we want only the fresh vendor code creation date.

  • Best practice for batch id access

    I'm not sure if this is the right place to post this so here it goes. I have a client who wants to have a super user create background jobs. These jobs will be assigned to a specific generic id (ex. BATCH_FI). The client only wants to give FI-CO acce

  • Is it Possible to Upgrade / Install New RAM ?

    Product Name : HP G42 Notebook PC Product Number : LR781PA#ACJ Identifying Number : [Personal Information Removed] UUID : 31464E43-3231-5733-4A47-984BE1C14794 Do revert back at the earliest i'm using the Laptop for my official purpose

  • Financial Analytics Implementation

    Hi guys I am looking for generic implementation plans for Financial Analytics to validate the assumption the product can be installed in around 3 months. Any assistance would be greatly appreciated.

  • ISE v1.1 ACL merging?

    Hello all, I would like ask you about some technology help  .. Customer would like create policy model for remote-access services based on „roles". For example : User1 is member of GroupA in LDAP and is member of GroupB as well. Security GroupA speci