Secondary ACS 5.1 fails to Deregister, after IP change on Primary
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload -
apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance.
Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
please wait five minutes for this restart to complete.
Do you wish to contine?" [ OK ]
But, checking back after 10 minutes -- or even the next day -- finds the Secondary's status unchanged.
Also tried Local Mode, Deregister from Primary; this also fails.
Does anyone have HOWTO URL on a total rebuild of ACS application?
Both ACS are CACS-1121-K9 running 5.1.0.44.4.
Thanks in advance for any help...
*** UPDATE: ***
Recommended command, "application reset-config acs", was _exactly_ what was needed.
jrabinow - many thanks! :-)
also, thank you for mentioning that the license would be required, so that I could locate it in advance and have it ready.
Since there were no local certs on the server, we did not need to re-install those.
Since this is a secondary it should not have too much in terms of specific configuration
Therefore one possibility is to reset the configuration so it once again becomes just a standalone node and then regsiter back to the deployment as is done for any new node and as you previosuly registered it
reset configuration can be done using the following command at the CLI:
application reset-config acs
Note that after you reset the configuration you will need to reinstall the license so make sure you have this to hand
Also if you has installed a server certificate for the secondary server you would need that too
Similar Messages
-
JWS Desktop shortcut fails to update after JNLP change in 1.6.0 update 18
Has anyone else noticed the desktop shortcut fail to update after a change to the JNLP with the latest Java 1.6.0 update 18 release?
Here are the steps we've found to replicate the issue on Windows XP, Vista, and Windows 7 using both IE and Firefox:
1) Download a JWS application and allow the desktop link to be created
2) Inspect the desktop shortcut and notice the path to the JNLP cache entry
3) Modify the JNLP at the server
4) Run the application via the desktop link - at this point the application will download updates and execute without issues.
5) Close the application - upon close, JWS will remove the old JNLP cache entry if the JNLP contained the security/all-permissions directive
6) Inspect the desktop shortcut again - notice that the path to the JNLP cache entry will remain unchanged
7) Launch the application again using the desktop link - JWS will fail with a cache exception if the JNLP contained the security/all-permissions element or will just run from the old JNLP
I've submitted a bug but just wanted to confirm that others are encountering the same issue.
Thanks,
TroyThanks for confirming.
This issue seems to continually creep into the Java releases. In the 1.6.0 releases, the issue is resolved in update 7 through update 11. Update 12, 13, and 14 all had various JNLP issues but I did find this specific issue with update 14. It was fixed again in update 15 and remained fixed through update 17.
I submitted two bugs and provided a simple sample application on our production site to use for testing with a url to update the last modified time. If bug is accepted, I'll post it here for others to vote for a fix. -
VCenter 6 fails to restart after IP change
I changed the vCenter 6 IP from within web client.
Since I had problems connecting to the new IP, I restarted the server via vSphere Client directly on the host using VMware Tools.
After the restart, I can't connect to vCenter any more. Trying to connect via https shows me the following error:
503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x7f4158068bf0] _serverNamespace = / _isRedirect = false _pipeName =/var/run/vmware/vpxd-webserver-pipe)
Then I directly used the console, enabled ssh and bash and logged in there.
I tried to check the current IP settings via the script used in version 5.5 which still exists (/opt/vmware/share/vami/vami_config_net) but fails with multiple errors.
Then, I tried to reset the certificates via certificate manager (/usr/lib/vmware-vmca/bin/certificate-manager), but I could not login via SSO (seems that SSO service could also not be started).
Then, I had a look in the log files, and noticed a problem with vmware-vpxd:
VC SSL certificate does not exist, it will be generated by vpxd
This did not help either. I tried to manually start the service, with the same result.
How can I fix my vCenter?I was able to start vmware-vxpd from the CLI but still no luck
emon: unused
Checking for service rpcbind running
unknown
Checking for service sendmail: unused
/dev/ttyS0 at 0x03f8 (irq = 4) is a 16550A
/dev/ttyS1 at 0x02f8 (irq = 3) is a 16550A running
/usr/sbin/FOO not installed
/bin/snmpd is not running
unknown
unknown
Checking for service sshd running
Checking for stunnel (SSL tunnel): unused
Checking for service syslog: running
Checking for service uuidd unused
running (standalone: 5311)
running (standalone: 5367)
Warning: vmci status: unimplemented
running (standalone: 5417)
VMware CIS License Service is running: PID:10693, Wrapper:STARTED, Java:STARTED
VMware Component Manager is running: PID:10134, Wrapper:STARTED, Java:STARTED
VMware ESX Agent Manager is not running.
VMware Inventory Service is not running.
VMware Message Bus Config Service is not running.
VMware ESXi dump collector is not running
VMware Performance Charts Service is not running.
Checking for /usr/bin/rbd-watchdog-linux: unused
VMware HTTP Reverse Proxy is running.
VMware Service Control Agent is running: PID:10937, Wrapper:STARTED, Java:STARTED
VMware vSphere Profile-Driven Storage Service is running: PID:18707, Wrapper:STARTED, Java:STARTED
ensure environment variables are set
Checking for VMware STS IDM Server ... running
ensure environment variables are set
Checking for service vmware-stsd running
syslog is running, PID: 11999
VMware Common Logging Service is running: PID:11339, Wrapper:STARTED, Java:STARTED
vmtoolsd is running
VGAuth daemon .
vAPI Endpoint is running: PID:11563, Wrapper:STARTED, Java:STARTED
VMware Content Library Service is running: PID:19194, Wrapper:STARTED, Java:STARTED
Last login: Wed May 13 12:29:51 UTC 2015 on pts/0
pg_ctl: server is running (PID: 12178)
/opt/vmware/vpostgres/9.3/bin/postgres "-D" "/storage/db/vpostgres"
VMware vCenter workflow manager is not running.
vmware-vpxd is running
VMware vService Manager is running: PID:27602, Wrapper:STARTED, Java:STARTED
/usr/java/jre-vmware/bin/vmware-vws is running.
Warning: vsock status: unimplemented
VMware vSphere Web Client is running: PID:27919, Wrapper:STARTED, Java:STARTED
Checking for service xinetd: unused
Checking for ypbind: -
Dabase fail over problem after we change Concurrency Strategy:
Hi We had Concurrency Strategy:excusive . Now we change that to Database for performace
reasons. Since we change that now when we do oracle database fail over weblogic
6.1 does not detect database fail over and it need to be rebooted.
how we can resolve this ??Hi,
It is just faining one of the application servers, developer wrote that when installing CI, Local hostname is written in Database and SDM. We will have to do a Homogeneous system copy to change the name.
The problem is that I used Virtual SAP group name in CI and DI application servers, in SCS and ASCS we used Virtual hostnames and it is OK according to SAP developer.
The Start and instance profiles were checked and everything was fine, just the dispatcher from CI is having problems when comming from Node B to Node A.
Regards -
Adding failover ASA back after config changes on "primary" ASA?
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?Hi,
There should be no problem adding another ASA back to the network.
Here is what I just did (and what happened) on a rather big customer
A power fault broke Secondary ASA and it never booted up
A replacement device was aquired
The replacement device was
Updated to matching hardware setup (mainly memory)
Updated to same software (OS and ASDM)
Configured with its physical interface up with "no shutdown"
Configured with ONLY "failover" configurations (exact configuration ofcourse depends on your setup)
It was attached to the rack and powered up.
After boot every interface BUT "failover" was attached to the network (Dont necesarily have to do it in this order) and I checked that every single one was up.
After everything above was done I connected the failover interface and watched as the devices "noticed" eachother and the Active firewall copied its configuration to the new Secondary unit.
This was done in a factory environment and all went fine.
There should be no problems doing this though I personally still prefer doing the replacement by attaching a "blank" ASA with only Failover configurations.
EDIT: Beeing that I am always paranoid when doing anything like this, I had ofcourse saved the configurations to flash on a separate file for worst case scenario and was ready to boot the original primary unit incase it took in something it wasnt supposed to.
EDIT 2: In the case where you think the Secondary unit doesnt have the exact configuration of the Primary unit, you can issue the command write standby on the Primary unit to save/copy the COMPLETE configuration of the Primary unit to the Secondary. Think the "write mem" on the Primary unit only updates some changes you have made to the Secondary unit
- Jouni -
Services not starting after upgrading the secondary acs 4.0.1
Hi
I upgraded 2 ACS ver 3.3.2 servers to ver 4.0.1 the upgrade worked perfectly fine but when I restarted the secondary acs, the ACS services are on starting status and CSlogs service shows stopping.
any idea why?
thanks in advance.Hi,
Seems link hitting CSCsc95237. You can check following link for further information.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc95237&Submit=Search
-Parm -
ACS loses connection with AD occasionally after upgrade from 5.2 to 5.3.0.40
ACS had been integrated with Active Directory before ACS upgrade to 5.3. After the ACS 5.3 upgrade users aren’t able to login to AAA devices occasionally. Error message is:
{AuthenticationResult=Error; Type=Authentication; Authen-Reply-Status=Error; }
24429 Could not establish connection with Active Directory
At the same time, when this issue occurs, ACS connection to AD works fine (checked with Users and Identity Stores> External Identity Stores > Active Directory “Test Connection”)I had the same problem, I opened a Cisco TAC case and my issue was resolved.
Sent: Tuesday, 14 August 2012 9:58 AM
Subject: RE: 622739355 HelpDesk#SVR328332-2 : Troubleshoot Cisco ACS 1121 v5.3 With Windows Active Directory
Hi Ramraj,
Thanks for the link to the article, but from what I’ve seen in the logs I’m not sure that we’ve got the same root cause to the issue.
From the ACSADAgent.log files I can see log messages like:
Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG network.state NST: SniffList: postfailsort=mykulad11p.cssc.dksh.net
Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.kerberos.adhelpers Encryption (id 1) is not supported by KDC. Try next in the list
Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.osutil Module=Kerberos : KDC refused skey: KDC has no support for encryption type (reference base/adhelpers.cpp:216 rc: -1765328370)
Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.adagent Unable to refresh computer credentials: KDC refused skey: KDC has no support for encryption type
This lines up with the error message that we see in the TACACS+ Authentication logs:
24493 ACS has problems communicating with Active Directory using its machine credentials.
I have come across a NETBIOS limitation (it’s not an ACS bug, but a bug has been filed for tracking and documentation purposes) that prevents two ACSs from being connected to Active Directory at the same time if the first 15 characters of their hostnames are the same. The bug ID is CSCtj62342 and its externally visible details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj62342
The hostname of the primary ACS is : MYMY-TPM-DC-ACS-1
The hostname of the secondary ACS is: MYMY-TPM-DC-ACS-2
From the hostnames, we can see that the first 16 characters of the hostnames are the same. What this means is that once the primary is connected to AD, after some time passes (this will depend on when the secondary goes an talks to AD) the secondary will lose its connection to AD and any authentications hitting the secondary will fail with the same error: 24493 ACS has problems communicating with Active Directory using its machine credentials.
To resolve this issue, the hostnames of the ACSs will need to be changed so that the first 15 characters of their respective hostnames are not the same. Please keep in mind that this is a NETBIOS limitation and not a software bug. -
presently i am using cisco acs version 4.1.1 build 23. now i am planning to add secondary server. After installing the new server. can anyone help me,what are the steps i need to configure.
do i need to configure all the devices on that server. thanks in advance.Hi,
You dont have to add each device on secodary ACS once the proper replication is configured between two ACS servers.
Make sure that replication is initiated and done by the primary ACS replicated to the secondary ACS server.
For more details on replication refer to the following link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html#wp756330
HTH
Regards,
Ahmed -
Safari and app store fail to work after installing Maverick, what can I do?
Safari and app store fail to work after installing Maverick, what can I do?
Disk Utility (Applications - Utilities - Disk Utility) Repair Disk Permissions 2x. Then restart in Safe Mode and try both apps. Restart normally and post results.
-
ColdFusion 8 Fails to start after update Java for Mac OSX 10.5 Update 4
I have been using ColdFusion on a Mac for years. Now CF fails to start after I updated Java for Mac OS X 10.5 Update 4. I usually start by typing in the terminal window sudo /Applications/ColdFusion8/bin/ColdFusion start.
There is a crash report but I don't know how to read it. See attached.
Please help, I need this working for my job.
Thanks...ColinDear Craig,
Macbook Pro 2.4GHz Intel Core 2 Duo 4 GB RAM
I'm sure that this is 64-bit
CF 8.0.1 Enterprise Build 3080
I had moved the Java SE 6 to the top in both Plugin and Applications. The
correct version is showing in the terminal window. See below.
Last login: Thu Jun 18 11:27:09 on ttys001
Beta-4:~ Colin$ java -version
java version "1.6.0_13"
Java(TM) SE Runtime Environment (build 1.6.0_13-b03-211)
Java HotSpot(TM) 64-Bit Server VM (build 11.3-b02-83, mixed mode)
Beta-4:~ Colin$
CF will not start. I have the activity monitor open, and when I start CF you
see it in the activity monitor for a few seconds as it starts up. When the
message process is completed in the terminal window CF disappears in the
activity monitor.
Any suggestions?
C
Hi, Colin,
My apologies but I forgot to ask 2 questions: (1) What kind of Mac you have
(Intel or PowerPC)? (2) What version of CF are you running and what installer
did you choose (8 or 8.0.1, 32-bit, 64-bit, etc.)?
To start, try the following:
1. Normally you'd shut CF down first ... but that's not necessary for you
2. Open Java Preferences again
3. Select Java SE 6 and move it (drag) to the top spot in both section (Applet
Plugin and Applications)
4. Open Terminal
5. Type java -version (you should see 1.6.0_13 as the new version)
6. Try to start CF again
This may not work (I've had issues with it) but it's technically how it's
supposed to work. With the Java Preferences utility, you're visually setting a
default JVM (you can do it with commands in Terminal but this is much faster
and easier).
If CF still won't start, look for the jvm.config file in your CF application
folder (try /Applications/ColdFusion8/bin or
/Applications/ColdFusion8/runtime/bin -- the latter is where a jvm.config file
is on my machine for a particular version of CF that's installed similar to
yours). You can override the JVM in this file but, hopefully, that won't be
necessary!
Best,
Craig -
how can i get mountain lion reinstalled if my mac says apple id never purchased? hd failed 2 wks after wty expired, I am the original owner, put another hd in, done command-r & sys reinstalled, but it wanted to update & now am stuck. I don't mind paying for mountain lion; it is too far to get to an apple store. but, i only have one mac, so i cannot download with another mac. lots of other apple, but only one mac.
You will need to do a network recovery:
Install Lion/Mountain Lion on a New HDD/SDD
Be sure you backup your files to an external drive or second internal drive because the following procedure will remove everything from the hard drive.
Boot to the Internet Recovery HD:
Restart the computer and after the chime press and hold down the COMMAND-OPTION- R keys until a globe appears on the screen. Wait patiently - 15-20 minutes - until the Recovery main menu appears.
Partition and Format the hard drive:
1. Select Disk Utility from the main menu and click on the Continue button.
2. After DU loads select your external hard drive (this is the entry with the mfgr.'s ID and size) from the left side list. Click on the Partition tab in the DU main window.
3. Under the Volume Scheme heading set the number of partitions from the drop down menu to one. Click on the Options button, set the partition scheme to GUID then click on the OK button. Set the format type to Mac OS Extended (Journaled.) Click on the Partition button and wait until the process has completed. Quit DU and return to the main menu.
Reinstall Lion/Mountain Lion: Select Reinstall Lion/Mountain Lion and click on the Install button. Be sure to select the correct drive to use if you have more than one.
Note: You will need an active Internet connection. I suggest using Ethernet if possible because it is three times faster than wireless. -
My ITunes library failed to start after an upgrade, now I'm unable to open or re-install. Receive an error message stating that "apple mobile device failed to start, check to see that you have sufficient priveleges to run system". Any help with this? I've tried un-installing and downloading only to get the same message again.
Thank you to "turingtest2", solution for someone else worked for me as well!
-
Acrobat 8.1 fails to open after automatic update
I installed CS3 a month ago and everything worked well until last week after an automatic update to Acrobat was installed. Since then, whenever I try to open Acrobat, I get the windows error "Adobe Acrobat 8.1 has encountered a problem and needs to close..." I tried to download and install the latest update but that didn't fix the problem.
Also, I tried to report it to Adobe online but never got a response and now I can't find where I reported it to see what the status is.
Any suggestions would be greatly appreciated.Still failing to launch after repairing permissions and restart.
Part of the report says:
AcroSecurityBailOutImpl
It has always opened the file when I try a second or third time, though.
It's just the first once or twice that it fails. -
Acrobat fails to open after software update (end of March 2012) in Lion
When opening a PDF in Acrobat x Pro the programme crashes, ever since I did a software update at the end of March 2012.
I have also been having problems with emailing PDFs, with emails disappearing or getting corrupted.
Seems worse if I have Firefox open at the same time.Still failing to launch after repairing permissions and restart.
Part of the report says:
AcroSecurityBailOutImpl
It has always opened the file when I try a second or third time, though.
It's just the first once or twice that it fails. -
Multiple Oracle Homes - Oracle Listener failes to start after installation
Just in case the listener fails to start after an oracle installation, please check the oracle ports in the listener.ora and tnsnames.ora, both of which are present in the following directory:
...\oracle\<SID>\<Ver>\NETWORK\ADMIN
All installations should have separate listener ports eg. If the first installation has port 1527, the next one should be 1528 and so on..
If they do not, manually change the ports and start the listeners.
Also check SAP Note 98252. Although I didn't find it necessary (I think it applies only if you have a single listener for all oracle homes), it did give me an idea that there some config problem in the .ora files.
Also see [this thread|Oracle Listener error in Import ABAP phase?; for related detailshi
thanks for the help ,
I have been using the SQL Server , i am totally blank about Oracle
i am totally confused with this user, and hoststring
i logged in to the enterprise manager using System and manager password
But i cannot connect to any database using SQL Server
i am not remembering any user name or password i have given during installation.
the only thing i remember is
Global databasename = (globedb) i have given
For SID = globedb the same name i have given
for sys ,i have given sysdb as password
and for system i have given systemdb as password
with this can i do anything
when expand the schemas ,i can see the XDB,SCOTT and SYS . how can i login to this .
if i want to login to the scott
what would be the username,password,and hoststring. since i haven't set any password and username ,there would be some default username ,password, and hoststring.
if any one can help me please help me
thanks regards
Maybe you are looking for
-
Hi, I've just spent an infuriating 50 minutes on the phone to BT Technical Support and just thought I would ask on here whether anyone thinks the solution they have advised (and I argued about!) is correct. I had both channels last night, there wa
-
Satellite L300D- Sometimes it takes ages to start up or doesn't start
Anyone able to help me? Sometimes it takes me ages to start up my laptop and sometimes it doesn't start up at all and I get sent to the start up repair screen and that results in an unable to repair press ok to turn off computer message. When ever I
-
Deploy New SampleApp in obiee 11g
Hi Friends, I am deploying SampleApp in obiee 11g.I am installing "AnalyticsRes" in console. Can anyone give me suggestions what is the use of "AnalyticsRes" and what is happening after installing of "AnalyticsRes". I got +AnalyticsRes -Web Services
-
I have Photoshop elements 10 and have been trying to copy albums onto a flash drive to show slide show on my TV. 10 does not have a flash drive connection, so I am trying to put it on my harddrive. When I hit the export to harddrive or anything else,
-
Hello, I'm developing a web app which deals with invoices, delivery notes and that sort of things and i need to print the documents i create and show in the screen but just a part of the jsp page as i don't want the menu of the app to appear in the d