Help AAA Servers Database Replication

Similar Messages

• ACS 4.2 Database replication issue

  Hello Experts,
  Hope you are all doing well. I need your help in ACS database replication, I want to do replication between ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. I also did wireshark captures on the interfaces but no traffic is initiated when i press replicate now button. Initially i thought its a machine issue, but same behavior is shown when i swapped primary----to secondary. There are other applications running on both the servers which requires JAVA. Like Cisco IME etc. Can it be JAVA issue? Please help me out. i am using Release 4.2(0) Build 124 on both servers.Attached below is the Replication LOG snapshot,
  Regards,
  Rizwan.

  https://supportforums.cisco.com/discussion/11382366/problems-witch-acs-42-replication
  https://supportforums.cisco.com/discussion/11363046/replication-problem-acs-ver-42

• Replication overwrites the AAA servers table in the secondary server

  Hi,
  I've configured two ACS servers with replication but i noticed that when the replication takes place it overwrites the AAA servers table configured in the network configuration of the secondary server and that makes the next replication to fail because the two servers have the same configuration of AAA servers, if i uncheck the "Network Configuration Device tables" and the "Network Access Profiles" from the "Database Replication Setup" wich includes the AAA servers table I also missed the replication of the new network devices that are added in the master server.
  Do you know how can i exclude only the AAA servers table from the replication??
  Other thing is that I configured the Outbound replication as "Automatically triggered cascade", I'm not sure if this means that at the exactly moment that there is a change on the primary server it will replicate it to the secondary???? because if that is the case it is not doing it.
  Thanks in advance for your help

  Hi,
  I understand, thanks alot for making that clear!.
  I now have another situation and i was wondering if you can help me, i made some changes in the AAA servers trying to solve this situation but i wasn't able to, so i leave again the servers in the same way that they were configured by the time the replication was working but now it is not, in the master server i get this message:
  ERROR ACS 'LACSLVBCDVAS007' has denied replication request
  and in the second server i get this:
  ERROR Inbound database replication from ACS 'lacslvbcpvas011' denied - shared secret mismatch
  I've checked the same key configured for both and are the same, i've deleted the AAA servers and the configure them again, restart the services but the problem remains, dou you have any idea what this could be??
  Thanks in advance for your help.
  Best Regards,

• Help withpoor-man's database replication

  Hi All,
  We have a very small data model of six (6) tables and about 1500 records a day. Oracle 8i on SunOS.
  As part of a failsafe system we would like to develop a "poor man" database replication system.
  What we would like is, a hot swappable back up database server with fairly up-to-date information. To do this we are considering making incremental backup dump files of production data, copying them over, and loading them into the backup database at a given interval, say, every 1/2 hour.
  Does anyone have any experience with such a system or have any recommendations? My guess is this will be easier to implement than true database replication.
  As always, thanks for your help on this.
  Regards, David
  Valhalla, NY

  Looks like you will benefit from it..
  Old (pre-8i) method of standby implementation. (standby in hot-backup mode)
  1) Take a hot backup.
  2) Create a standby controlfile.
  3) Edit the parameter file to start looking at this controlfile. (that would mean change the instance_name also, (make sure you choose suitable parameters if this system will exist on the same server). Also Set log_archive_dest= to the location where you keep your archive logs.
  4) SQL> startup nomount
  SQL> startup mount standby database
  SQL> recover standby database; ---- NOTE you would like to put this in a script and Cron it.
  auto
  This would be a setup which would help you keep a hot backup, which recovers on its own, This backup, you will be able to use whenever you want. (As the only thing which would be different in this database would be standby controlfile, rest everything would be block-to-block same to the Primary).
  (This type of backup, should not require any type of liscencing [particularly if implemented on the same box] but it would be good to find it out).
  Sameer Zai.

• ACS internal database replication

  I have setup ACS internal database replication and it works once then the secondary config is overwritten and doesn't contain the AAA server of the primary.
  primary               - 10.100.253.25
  ACS 1113 running 4.2
  secondary          - 10.100.253.26
  ACS 1113 running 4.2
  Example of before and after
  Before replication
  The primary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs2 - 10.100.253.26
  The secondary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs1 - 10.100.253.25
  After replication
  The primary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs2 - 10.100.253.26
  The secondary has these AAA servers listed under network components.
  self - 127.0.0.1
  acs2 - 10.100.253.26
  therefore after the first replication subsequent attempts will fail because the secondary won't accept attempts from unknown AAA servers. Is this to be expected or can I mitigate it in someway?

  Please try setting the original ip address by using "Set ip" Command from the console connection of the ACS Solution engine. Once you successfully changed the ip address, you can apply the patch 11 or above (latest is patch 16) on the ACS SE (This will fix the problem).
  In majority of cases set ip command fails but sometime works too.
  In case it doesn't help then we have 2 options:
  1.] Open a TAC case, send the database file to delete the entry.
  2.] If you are not intrested sending your database then try the below listed steps:
  In order to remove the loopback entry from the Database, we need to follow following steps,
  Please download ACS 4.2 trial from following link, if you do not have ACS Full version for Windows purchased.
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval- eval-ACS-4.2.0.124-SW.zip
  [1] Install eval version on Windows 2000/2003 server. Please also ensure that JAVA is installed on that server.
  [2] Take a backup from ACS SE from, System Configuration > ACS Backup >Backup Now.
  [3] Restore the database backup on ACS eval.
  [4] On eval ACS , go to Network Configuration > find the AAA Server entry with 127.0.0.1 entry. Edit it and give it some other IP for
  example, 1.1.1.1. Submit + Apply.
  [5] On eval, Restart CSAdmin service.
  [6] On eval, go back to Network Configuration and search for the changed IP address and delete that entry, Delete + Apply.
  [7] Take a backup from eval ACS, System Configuration > ACS Backup > Backup Now.
  [8] Restore the database backup from eval ACS into ACS SE from option, System Configuration > ACS Restore, choose the database backup. Check Check option "User and Group Database" and "CiscoSecure ACS System Configuration", then press Restore Now.
  [9] On ACS SE, go to Network Configuration, make sure that 127.0.0.1 entry is not there and for ACS SE's hostname we have the correct IP address. Go to Proxy Distribution Table > (Default). Move the server’s hostname entry that has correct IP for this ACS SE into "Forward To" column, if not already. Then press "Submit + Restart".
  Reference defect, CSCso36620 - Toggle nic command changes AAA server ip address to "127.0.0.1" in GUI.
  Regards,
  Jatin
  Do rate helpful posts-

• ACS Database Replication over VPN with overlapping Network Addresses

  We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
  As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
  Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
  All provided info and comments are greatly appreciated.

  I can help with the 3005 setup if you decide to go that route.
  You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
  You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
  You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
  Use a static Nat type. The rest will look similar to my example.
  Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
  Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

• CiscoSecure ACS 4.1(1) Build 23 Patch 5 :database replication fails; possibly short timeout or dead

  Hi,
  Since some time we are struggling to get database replication working.
  On the primary server it is reporting the following on "Database Replication active.csv""
  07/21/2010
  14:22:58
  SZ0910
  WARNING
  ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
  07/21/2010
  14:12:08
  SZ0910
  INFO
  Outbound replication cycle starting...
  In CSMon.log following is logged:
  CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
  CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
  CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected Level:2 Message:Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State 0 6 Event Detected Level:2 Message:Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped State 0 3 Event Detected Level:2 Message:Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
  CSMon 07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted. Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted. Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon 07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event Detected Level:2 Message:Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon 07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected Level:4 Message:Service pause timed out. Please check the timeout settings for Replication and Backup
  I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
  But still replication fails.
  There is no firewall in between.
  Both ACS servers running on MS Windows Server  2003, SP2.
  Can anybody help me in the right direction what could be possible cause of this or where else I can look for logging for further troubleshooting?
  Thanks in advance for your help.

  Hi,
  Since some time we are struggling to get database replication working.
  On the primary server it is reporting the following on "Database Replication active.csv""
  07/21/2010
  14:22:58
  SZ0910
  WARNING
  ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
  07/21/2010
  14:12:08
  SZ0910
  INFO
  Outbound replication cycle starting...
  In CSMon.log following is logged:
  CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
  CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
  CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
  CSMon
  07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected
  Level:2 Message:Service CSAuth has been suspended for a configured
  function to proceed. Monitoring will suspend until the service is
  restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State
  0 6 Event Detected Level:2 Message:Service CSLog has been stopped or
  paused by the system. Monitoring will suspend until the service is
  restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped
  State 0 3 Event Detected Level:2 Message:Service CSRadius has been
  stopped or paused by the system. Monitoring will suspend until the
  service is restarted
  CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
  CSMon
  07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has
  been suspended for a configured function to proceed. Monitoring will
  suspend until the service is restarted. Service CSLog has been stopped
  or paused by the system. Monitoring will suspend until the service is
  restarted. Service CSRadius has been stopped or paused by the system.
  Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon
  07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event
  Detected Level:2 Message:Service CSTacacs has been stopped or paused by
  the system. Monitoring will suspend until the service is restarted
  CSMon
  07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has
  been stopped or paused by the system. Monitoring will suspend until the
  service is restarted. '
  CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon
  07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected
  Level:4 Message:Service pause timed out. Please check the timeout
  settings for Replication and Backup
  I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
  But still replication fails.
  There is no firewall in between.
  Both ACS servers running on MS Windows Server  2003, SP2.
  Can
  anybody help me in the right direction what could be possible cause of
  this or where else I can look for logging for further troubleshooting?
  Thanks in advance for your help.
  Hi,
  Also check the port number TCP 2000 this is the replication port which needs to be opened between the primary and secondary ACS.
  Hope to Help !!
  Ganesh.H

• Problem in Database Replication in Oracle 9i

  i am trying to do database replication but am facing problems in 9i.i have two machines on network and both have a database created.i also have a common schema in both the database (testuser is the name of schema). i have created database links between the two machines and when i check the link through OEM console then it shows that database link is active.when i add object to my master group it shows the status as need generation and when it try to generate replication support for the same the status changes to DOINGGEN.i am not able to get the status to GENERATED.my database names on both machines are different.could that be a problem.do we need to have same database name on both machines.plz help me out with this and if possible give me step wise details of how to do replication.i have tired it by following the steps given in oracle documentation.

  use enterprise edition, i think you are using standered edition. moreover there should be primary key column in replicated tables.

• ACS 4.2 to ACS 5.4 database replication

  Hello All,
  I would like to know if its possible setup database replication from Cisco ACS 4.2 server to ACS 5.4 server ?
  Thanks in advance
  Mohsin Saleem

  Unfortunately, database replication (trigger update) cannot be performed as it requires both the ACS boxes to run same code.
  If you meant migration then yes that can be done.
  Migrating from ACS 4.x to ACS 5.4
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/migrate.html
  Jatin Katyal
  - Do rate helpful posts -

• Problem with ACS 4.2 Database replication

  Greetings,
  I am not able to replicate Database between two ACS SE 4.2. I am getting the following error:
  Inbound database replication from ACS 'ACS_BEX_001' denied - shared secret mismatch.
  The configuration apparently is ok. I am attaching the configuration from both ACS.

  The solution posted by Nevin is correct, but I must add some explanations. I had the problem yesterday and I proceeded like Nevin told:
  - I connected to the console and made a "show".
  - The IP was the correct one, but as indicated I made a "set ip"
  - The system asked for the new IP, showing the old one between brackets: ie "New IP [10.10.10.1]:"
  - I pressed Intro, because the IP is correct.
  - After confirming the IP, mask, gateway and DNS the system asked me to verify connectivity. I did it and was correct.
  - The second time it asked to check connectivity I answered No. and nothing happened.
  - We checked through the web but the "Self" IP was still 127.0.0.1.
  - So I made the process again BUT this time I changed the the IP to another one. After finishing, (when I answered No to check connectivity) I saw that the system was stopping all ACS processes and starting then again.
  - In the web page the "Self" IP was the new one.
  - I made the process again changing the IP to the original one. This time also the system stopped and started all processes.
  - In the web page the "Self" IP was correct.
  - Now the replication worked correctly.
  So the problem was that the system is "inteligent" and if it discover that you don't change the IP (even if you change the DNS), it doesn't reconfigure it. So you must change to another IP (even a dummy one) and the change again to the correct one.
  I hope this can help to other people.

• OC4J 10.1.3 preview 4 cluster database replication is not working...

  Hi,
  We are trying to run OC4J 10.1.3 preview 4 standalone server in a cluster mode enabling database replication to persist session details during restarts.
  We have created the following:
  - JDBC Connection pool
  - JDBC data source
  - An entry in the application.xml for <cluster><protocol><.... </cluster>
  But it does seem to be working.
  And there is no change in stdout or stderr console log as well.
  It will be really helpful if you send your comments or answers if anybody have have implemented this succefully before!!
  Regards,
  DGKM

  gday DGKM --
  I can confirm that this works with the DP4 build.
  The easiest way to make sure you get the right entries are to configure this via the "clustering" wizard in Application Server Control at the end of the deployment process.
  So I'd recommend deploying the application again using ASC and using the cluster task, setting the protocol to be Database and specifying the datasource to use.
  cheers
  -steve-

• ACS SE Database replication fails

  Hello, I recently upgraded our ACS SEs from 4.0 to 4.1. All appeared to go OK but I checked the logs recently and saw the the database replication is failing with the message:
  ACS '[hostname]'is running a different version of ACS - aborting.
  All ACS SE were upgraded at the same time and display the same versions when examining the Appliance Upgrade page. Does anyone have any ideas what the problem is?
  Thanks in advance.

  Hi, I am having a related problem but in my case I am using ACS for Windows ver.4.0. I am replicating from one primary ACS to three other ACS using scheduled nightly replication.
  The problem is that the data is being updated on all three ACS servers, but in the database replication logs on the primary I get messages stating that "ACS-server-name replication failed possibly due to short time-out or dead". Moreover, not all three servers timeout. Sometimes one server timeout, and other times two servers timeout, etc.
  On the replicated servers logs, the only log, in case server times out, shows that "replication cycle starting....". while when replication is successfull, it also shows Replication cycle completed successfully.
  I have played around with the timeouts but the result is random. I have also checked if there are any bandwidth issues, but replication is scheduled at night with minimal network traffic and the servers are also not being used for authentications.
  Don't understand why I don't see successful messages all the time, specially when the data does get updated on the replica ACS.
  Thanks.
  MAG

• ACS Database Replication between SE and Windows

  I currently have 2 Windows ACS servers (4.0.1.27) in production and replicating databases. I also have a solution engine (appliance) running 4.1.4.13.7. I plan to upgrade the Windows ACS servers to 4.1.4.13.7 (same as the SE). I know that the software versions have to match for replication to work. Recently, I received conflicting information about database replication. I was told that a ACS SE (solution engine 1113) can not replicate to a Windows ACS server, even if the software versions match. Before I change my production environment, I thought would seek out additional input.

  Yes, you can replication acs windows with acs appliance. It works fine.
  Regards,
  ~JG

• How to force database replication after CUCM upgrade

  Hello All, I will be doing an upgrade to version 10.5 from 8.5 of CUCM. I've done this before and as documented started with the publisher and then subscriber. When I have done this I always wait and check Database replication via RTMT and the CLI.
  I'm always nervous as this process seems to take a long time. Is this just a waiting game or is there a command that I can force replication to my subscribers? How long should this process really take? I never know....
  Thanks,
  Dan

  Dan,
  Use "utils dbreplication runtimestate" to check the replication status of your servers in the cluster. The servers should show connected to the publisher and a status of 2
  Or you can use unified reporting to generate report on db replication as follows.
  Check Database Replication:
  Access Publisher CUCM GUI
  Navigate to Cisco Unified Reporting
  Select System Reports
  Select Unified CM Database Status
  Generate New Report
  In the Unified CM Database Status section of the report, expand the View Details under the All servers have a good replication status and confirm a Replicate State for all servers of “2” as follows:

• CUCM Database Replication Status MIB

  Hi Guys,
  Can you please help me whether we could monitor CCM database replication status through SNMP MIB or OID..
  Also please guide me in how to configure SNMP traps for the MIBS??
  Regards,
  Indrajith PC

  Hi,
  please take a look at the CUCM serviceability guide:
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/service/9_0/admin/CUCM_BK_C136FE37_00_cisco-unified-serviceability-administration-90/CUCM_BK_C136FE37_00_cisco-unified-serviceability-administration-guide_preface_00.html
  I'm afraid there's no trap generated when DB replication issues occur, so you might want to do periodic polling.
  The above referenced document contains some basic information which MIB's may be interesting to you and how to get them.
  Personally, I would download and register them all, and then just walk the whole tree and cherrypick ;-)
  G.