Unknown CA failure on ACS express

Hi forumers
i try to let user access to the network authenticate using ACS express, then map to the AD server.
somehow i get the error from the authentication report is FAILURE REASON: UNKNOWN CA
i try and use self-singed certificate, then download the certificate, open and copy the CSR and paste to my CA server.
I'm using Window's advance certificate request "submit a certificate request by using a based 64-encoded CMC or PKCS#10 files..." this option.
somehow i got this error message. (see attachment)
Question1: is it the right way to do CSR to window CA server? am i doing it right?
Question2: if i am wrong, any guide for a proper way doing certificate installation for ACS express in order talk to AD server?
thanks
Noel

Hi,
Actually you do not need to have a signed certificate on the ACS Express to be able to join the AD...
However, if you still want to do it, then can you please send me the CSR? I can take a look and see if everything is ok...
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Similar Messages

ACS express v5.0.1 fail to join AD

hi,
i try to integrate my ADE 1010 appliances running on ACS express v5.0.1.1 to my DC running on window 2008 server enterprise edition SP2.
as i fill in the info at domain configuration and test the connection, it's succeed. but once try to save and join it's failed to join the domain.
log extract from acsxp_adagent :
PMOACS AD-SCRIPTS: INFO AD script executed from IP: 10.169.2.100 script: /cgi/adjoindomain.pl/cgi/adjoindomain.pl args: DM=jpmosp.xxx.yy&UN=administrator&CN=OU%3DACS&PDC=jpmosp.xxx.yy&PW=******
PMOACS AD-SCRIPTS: INFO AD join container used: OU=ACS
PMOACS AD-SCRIPTS: INFO AD join Preferred Domain Server used: jpmosp.xxx.yy
PMOACS AD-SCRIPTS: INFO AD join container used: OU=ACS
PMOACS AD-SCRIPTS: INFO AD join Preferred Domain Server used: jpmosp.xxx.yy
PMOACS AD-SCRIPTS: INFO AD join command used: /opt/CSCOacsxp/adagent/bin/adjoin -u "administrator" -p "******" -z NULL --noconf "jpmosp.xxx.yy" -s "jpmosp.xxx.yy"
PMOACS AD-SCRIPTS: CRITICAL Unknown status returned from adjoin
PMOACS AD-SCRIPTS: WARN --- BEGIN FILE LOG FOR /opt/CSCOacsxp/temp/adjoindata.8870 ---
PMOACS AD-SCRIPTS: WARN Cannot resolve computer name "pmoacs" in DNS or /etc/hosts
PMOACS AD-SCRIPTS: WARN Please edit /etc/hosts or your DNS server to set your hostname correctly
PMOACS AD-SCRIPTS: WARN or use --name option to override this check.
what i did on my window 2008 server:
1. log in as the administrator, create a container name "acs", and inside of it create a computer name as "pmoacs"
2. appliance clock is tally with AD-DC server, no time skew problem.
what i did on my Cisco ADE 1010:
1. initial setup only.
thank you
N

Hi,
This is the relevant error message:
"WARN Cannot resolve computer name "pmoacs" in DNS or /etc/hosts"
Please make sure you have the acs hostname configured on the DNS server.
The ACS must be able to resolve its own hostname, otherwise this will fail.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ACS Express integration with Active Directory

Hello,
I have ACS Express version 5.0.1 installed on Cisco ADE; I'm trying to get it integreated with an Active Directory without sucess.
I did packet captures on the ASA that is in between and I can see communication going thru just fine. I ran a diagnostic on the ACS express and got this:
DIAGNOSTIC USING THE IP ADDRESS OF THE DOMAIN CONTROLLER:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Output of AD Domain Diagnostics:
IP Diagnostics
Local host name: he-zfm-acs-01
Local IP Address: 172.31.67.10
Not found in DNS!Make sure it is in Reverse Lookup Zone.
FQDN host name:he-zfm-acs-01.clarocr.americamovil.ca1
Domain Diagnostics:
Domain: 172.24.2.93
Subnet site:
WARNING! Unable to locate computer's subnet site in Active Directory.
Ask your Active Directory administrator to add this computer's subnet
to the appropriate site.
DNS query for: _ldap._tcp.172.24.2.93
Found no SRV records!
Computer Account Diagnostics
Not joined to any domain
AD Agent Process Status: Not joined to any domain
DIAGNOSTIC USING THE AD REALM:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Output of AD Domain Diagnostics:
IP Diagnostics
Local host name: he-zfm-acs-01
Local IP Address: 172.31.67.10
FQDN host name:he-zfm-acs-02.clarocr.americamovil.ca1
Domain Diagnostics:
Domain: CLAROCR.AMERICAMOVIL.CA1
Subnet site: TELECOM
DNS query for: _ldap._tcp.CLAROCR.AMERICAMOVIL.CA1
Found SRV records:
rom-pro-dc-03.clarocr.americamovil.ca1:389
Testing Active Directory connectivity:
Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:389
Domain controller type: Windows 2003
Domain Name: CLAROCR.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: AMERICAMOVIL.CA1
DNS query for: _gc._tcp.AMERICAMOVIL.CA1
Testing Active Directory connectivity:
Global Catalog: rom-des-dc-01.desa1sv.americamovil.ca1
gc: 3268/tcp - timeout
No TCP LDAP response, giving up on rom-des-dc-01.desa1sv.americamovil.ca1
Global Catalog: rom-amv-dc-02.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-tlc-dc-01.telecom.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-pro-dc-03.clarocr.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-tlc-dc-02.telecom.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-amv-dc-01.americamovil.ca1
gc: 3268/tcp - good
Domain Controller: rom-amv-dc-02.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-tlc-dc-01.telecom.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: TELECOM.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: CLAROCR.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-tlc-dc-02.telecom.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: TELECOM.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-amv-dc-01.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: AMERICAMOVIL.CA1
Computer Account Diagnostics
Not joined to any domain
AD Agent Process Status: Not joined to any domain

Dennis,
TIme in sync on the ACS and AD servers?
Faisal

ACS Express radius authentication AD authorization

I work at a University and for some reason we have multiple systems for authentication and authorization. That being said I am trying to use radius to do authentication and AD for authorization for VPNs. I have the radius authentication working against our radius server. I have my ACS express setup to join the AD domain and everything looks good there. I setup the AD server as a radius object in AAA server groups on my ASA. Then I add the server below in the servers in selected groups window. I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS. The test fails and with authorization failed with invalid password. When I look at the logs on the ACS I see
01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword).
Username and domain are correct I just edited them for posting. It seems like it is trying to authenticate rather than authorize. All I want it to do is say yes the user is in this group or no the user is not in this group? You can't even fill in the password when testing authorization? Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain. When I do AD domain diagnostics under troubleshooting everything looks good. I have the ASA I am testing from defined as a device and in the ASA device group. Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting. Any idea what I am doing wrong or where to look?
Any help would be GREATLY appreciated!
Thanks
Joe

Hi Joe,
We could take a deeper look at what is happening through some logs and debugs:
1. On ACS Express, under
Reports & Troubleshooting > Troubleshooting > Server Logs
please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
Also, for the Log Level under OS Logging, please set its value to "Debug".
If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
2. On the ASA, please enable the following debugs
debug aaa authentication
debug aaa authorization
debug radius
3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
acsxp_adagent.log
acsxp_agent_server.log
acsxp_mcd.log
acsxp_server.log
acsxp_server_trace.log
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ACS Express 5.0 - "unique authentication" what does it mean?

Hi to all,
the ACS Express 5.0 datasheet states: "Cisco ACS Express supports a maximum of 50 AAA clients and 350 unique user logins in a 24-hour period"
It's clear what's the meaning of the max 50 AAA clients...in fact what is not clear is regarding the max 350 uniques user authentication.
If I use 802.1 IBNS with PEAP-MSCHAP to do machine authenticaion each machine authentication will count as a unique logon...isn'it? What happens if there are Laptop assigned to sales which spent a lot of time out of the office???
Each time these laptops reconnect to the network wil count as an extra logon or and increase the logon counter of one or since this laptop is already authenticated on the morning t won't count as an extra unique logon...
My question is related to the fact that I have a customer who wanto to introduce IBNS-802.1X but have "only" 20-25 AAA clients and max. 200 users (where about 100 are laptop)...and using ACS 5.0 in a redundant way will be too expensive...
Thanks for a reply
Omar

The ACS Express 5.0 Appliance is designed for a maximum of 350 users. This limit does not apply to the number of logins.
Cisco Secure Access Control Server Express 5.0 QA
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps8543/ps8724/prod_qas0900aecd806d3a4d.html
Q. How is Cisco Secure ACS Express positioned in comparison to Cisco Secure ACS for Windows (ACS Windows) and Cisco Secure ACS Solution Engine (ACS SE)?
A. ...Cisco Secure ACS Express is well suited for deployments that need an access control solution for fewer than 350 users and 50 devices. This product is intended to serve small to medium-sized businesses, retail sites and enterprise branch offices where customers need an easy-to-use GUI yet require a comprehensive but simple feature set and a lower price point to address their specific deployment needs.
For a detailed feature set, please refer to the Cisco Secure ACS Express data sheet at http://www.cisco.com/go/acsexp....

Netstorage in VO : Unknown connection failure 500

Hi,
When I access Netstorage within Virtual Office I get the following message:
NetStorage getData:PortalURLException
URL = https://virtualoffice.rademaker.nl:4...et/xtier-login
Unknown Connection Failure :500
This happened after patching the server (SLES9SP2 (OES linux) to the latest
available patches.
I already reset the owner of /opt/novell/netstorage and below directories to
wwwrun:www
The same for /opt/novell/netstorage (acc. TID 3944596)
However still the same errormessage.
I checked out the /var/log/messages file and found this :
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 1
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 2
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 3
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 1
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 2
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 3
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 1
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 2
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 3
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 1
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 2
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 3
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket- Connection
creation failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection creation
failed, error = 111
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel unavailable
Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
retry RPC, count = 1
I checked out TID 3593388, verified everything, but it looks like it is all
ok.
Anyone experienced the same, or is maybe reconfiguring netstorage in the
yast - network services- the best option?
Any help would be really appreciated.
Best regards,
John M.

Hi,
I know the solution. You can buy it for $500. Novell does not patch their
products properly.
Most of all your current solution breaks. But I can fix it for you.
regards,
Pieter
"John M." <[email protected]> wrote in message
news:[email protected]...
> Hi,
>
> When I access Netstorage within Virtual Office I get the following
> message:
>
> NetStorage getData:PortalURLException
> URL = https://virtualoffice.rademaker.nl:4...et/xtier-login
> Unknown Connection Failure :500
>
> This happened after patching the server (SLES9SP2 (OES linux) to the
> latest available patches.
>
> I already reset the owner of /opt/novell/netstorage and below directories
> to wwwrun:www
> The same for /opt/novell/netstorage (acc. TID 3944596)
>
> However still the same errormessage.
>
> I checked out the /var/log/messages file and found this :
>
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 1
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 2
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 3
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 1
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 2
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 3
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 1
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 2
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 3
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 1
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 2
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 3
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::connectSocket-
> Connection creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: XSrvCChannel::init- Connection
> creation failed, error = 111
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -getCChannel- Channel
> Initialization failed for socket /var/opt/novell/xtier/xsrvd/srv-socket-18
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Channel
> unavailable
> Mar 26 20:27:32 orion httpd2-worker: IPCCLNT -SubmitReq- Will attempt to
> retry RPC, count = 1
>
> I checked out TID 3593388, verified everything, but it looks like it is
> all ok.
>
> Anyone experienced the same, or is maybe reconfiguring netstorage in the
> yast - network services- the best option?
>
> Any help would be really appreciated.
>
> Best regards,
> John M.

Import Wizard: Unknown export failure

Hi -
We have about 30 universes in 3.1 SP2 and I am having probelm exporting 2 of them to a .biar file. I get the Unknown export failure message in the Export View Log window. I am able to export all of the other universes, including the corresponding Test universes that created the problem ones (copy through export in Designer) and direct copies of the problem ones (copied to new folder).
The log files state:
"Type","ID","New CUID","Title","Severity Code","Severity","Details"
"CrystalEnterprise.Folder","3715","AYEywY5nSSNHoy1.hQm8NZ8","APPLICATION Universes","4","Error","Unknown export failure."
"CrystalEnterprise.MetaData.DataConnection","4874","AStHrjF7ETVNvIIvq4xffXs","APPLICATION CONN","4","Error","Unknown export failure."
"CrystalEnterprise.Universe","3600","AYtNIib.5cdHuy0oa7Mm3yA","APPLICATION UNIV48 Summary","4","Error","Unknown export failure."
"CrystalEnterprise.Universe","3599","Aeih7_KjLvpEoKViEcsfxNc","APPLICATION UNIV48","4","Error","Unknown export failure."
"CrystalEnterprise.CustomRole","6658","Aaw6myUxTcdCsXdSV0vIEyM","Admin_Access","4","Error","Unknown export failure."
"CrystalEnterprise.CustomRole","193","AVog52Tl72ZGvIReeqKndUA","Full Control","4","Error","Unknown export failure."
"CrystalEnterprise.CustomRole","6659","AXZTQBwYYptJttalHxxbYqQ","User_Access","4","Error","Unknown export failure."
Source Type: BusinessObjects Enterprise XI 3.x
System: DC38-SNR-WEB01
User: Administrator
Authentication: Enterprise
Destination Type: Business Intelligence Archive Resource (BIAR) File
BIAR file: C:\Users\joness\Desktop\test.biar
Import universes
Import custom access levels
Import universe and connection objects that the selected documents use directly, as well as any other universe and connection objects they depend on.
ID: 3715
Title: APPLICATION Universes
Details - Error: Unknown export failure.
ID: 4874
Title: APPLICATION CONN
Details - Error: Unknown export failure.
ID: 3600
Title: APPLICATION UNIV48 Summary
Details - Error: Unknown export failure.
ID: 3599
Title: APPLICATION UNIV48
Details - Error: Unknown export failure.
ID: 6658
Title: Admin_Access
Details - Error: Unknown export failure.
ID: 193
Title: Full Control
Details - Error: Unknown export failure.
ID: 6659
Title: User_Access
Details - Error: Unknown export failure.
Error! Failed to write out object IDs map to ids file.
Any idea?
Thanks in advance....

This thread is being moved from "BusinessObjects General" forum to "BusinessObjects Enterprise Administration" forum to be more in-line with the nature of the question.

ACS Express 5.0 vs ACS 5.0

What's the difference between the two?
- Cisco Secure ACS Express 5.0
- Cisco Secure Access Control System 5.0

ACS Express 5.0
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps8543/ps8724/product_data_sheet0900aecd806d3b78.html
ACS 5
http://cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/ps9915/product_bulletin_c25-504495.html

Disable SSH version1 in ACS Express 5.0

Hi,
Does anybody knows if it is possible to disable SSH v1 in ACS express installed in ADE 1010?
Appreciate anybody's feedback
Thanks.
NetMaint

Hi,
This was required by our client to disable SSH v1 after the infosec audit.
Can this be done? I tried digging but can't find any info. If this can't be done at least provide me some link so I can feedback to our client.
Appreciate your reply.
Regards, NetMaint

Join acs express to active directory domain

i have a problem joining acs express active directory domain , both are reachable to each other in the same subnet & no firewalls between them , but when i test the connectivity it gives this error:
" required service unavailable. DNS is setup correctly , and the domain controller is reachable , however , one of the required services, such as ldap,kerberos, or global catalog service is not available. This issue may arise if there is a firewall between AD domain controller, and the ACS Express appliance"

It is sounds like a bug CSCsw29387 Join AD domain, with one DC down fails. If the ACS Express is trying to join an AD domain in a multi domain controller environment and one of the domain controllers is down, the ACS Express will fail to join the domain.

Does MARS support ACS Express 5.0?

Hi guys... Does anyone know whether MARS supports ACS Express 5.0? I tried to add the ACS Express 5.0 device but there was not this version of ACS on Reporting Applications tab of Cisco MARS.
Thanks all.

MARS does not support ACS Express 5.0
Only ACS version 3.x and 4.x are supported as per the following document:
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/compatibility/local_controller/dtlc60x.html#wp75381
Hope that helps.

ACS Express AD

Hi All,
I've setup ACS Express and try to join to MS AD. connectivity passed but it says "Saved settings, but error in joining domain. Error: Timeout occured communicating with AD domain controller.
any suggestion would be very appreciated
Alex

Alex,
Check for communication issues between AD and your express server. Also verify that time is not off by more than 5 minutes.
HTH,
Faisal

ACS Express upgrade for native Linux OS

I'm running ACS Express 5.0.0.18. A recent security scan flagged the ACS as running outdated versions of Apache and Tomcat, plus other issues. Will the 5.0.1.1 upgrade package perform an update on these components? If so, what will be the updated versions, given that the upgrade package is over one year old? Are there any other alternatives for bringing the OS components up to date? Any advice is appreciated.
Regards,
Mike

Hi Mike,
what are the exact vulnerabilities you're referring to?
I ask this as there are some known issues affecting also the ACS Express version 5.0.1.1, such as the following ones:
* CSCtg52362:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg52362
* CSCtg52369:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg52369
We don't have precise ETA for the fix yet, but you may monitor the above bugs to get notified about updates.
In any case, you have to wait for the next patch to be out to get this fixed.
In the meanwhile I would also recommend to mitigate the impact of those issues by preventing non-admin workstations to have access to the ACS GUI (e.g. with a firewall or ACL); in any case this is good practise as these web pages should not be reachable for non-admin staff (nor external internet users of course).
In any case, if you need for further assistance on this, please open a TAC case, so we can verify this in more details.
Thanks!
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

ITunes/Windows - Unknown synchronisation failure

When synchronisation is being done with my Outlook Agenda there is an unknown (-50) failure. Contacts is no problem, but Agenda is refusing due to above error #. Someone any idea ?

Although I can understand your frustration, I feel the need to point out that this is a user-to-user forum. It is, perhaps, not the most effective way to contact Apple. I would suggest the iTunes feedback menu option.

Joining ACS express to AD

Hi all,
I'm trying to join an ACS express (5.0) to AD. Communication between ACS and AD DCs is correct, but when trying to join the domain I get the following warning:
1. Saved settings, but error in joining domain. Error: Domain Controller not reachable by name. DNS is setup correctly, however the domain controller is not reachable via the name that is in DNS. This can be caused by the domain controller being unavailable. It may also be caused by the DNS domain name not matching between the AD domain controller and ACS Express appliance.
I have verified that the domain controller is reachable by name, and actually in the logs I can see that at some point the ACS tries to create the computer name in the location specified:
Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.bind.ldap xxxxxx.mx.hdi.com:389 fetch dn="<WKGUID=aa312825768811d1aded00c04fd8d5cd,DC=mx,DC=hdi,DC=com>" filter="(objectclass=*)" (erased name)
ACS tries to create a zone, but at some point the following error message appears:Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.osutil GSSKerberos::initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:177 rc: -1765328377)
At that point, the binding fails and ACS fails to join the domain.
Any help is highly appreciated,
Thanks!!!

That error resolves to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L). Usually, this is due to either
a missing Service Principal name for AD account or the SPN not being recognized by KDC. Can you double-check
that it's in a host/domain.name format?
Also, what OS is on the DC you're using? We've seen this error with 2008 DCs and Express 5.0, which was
resolved by upgrading to 5.0.1.

Unknown CA failure on ACS express

Similar Messages

Maybe you are looking for