Upgrade of ACS 5.4 to 5.5
Need a sanity check on our proposed upgrade of our ACS. There is a preupgrade entitled "Pointed-PreUpgrade-CSCum04132-5-4-0-46-0a.tar.gpg "
which I'm not sure I need if I am running version 5.4.0.46.2.
Here is the output from our CLI. Do I need the patch or can I install 5.5?
Thanks,
Paul
Current:
Version information of installed applications
Cisco ACS VERSION INFORMATION
Version : 5.4.0.46.2
Internal Build ID : B.221
Patches :
5-4-0-46-2
acs1/engine# show application version acs
Cisco ACS VERSION INFORMATION
Version : 5.4.0.46.2
Internal Build ID : B.221
Patches :
5-4-0-46-2
1. You must install the latest patch of ACS 5.4 that is patch 6.
2. Since there is a known issue with ACS 5.5 upgrade so you need to apply the pointed patch. Please download the below listed patch from here - http://tools.cisco.com/squish/66c52
-Pre-Upgarde ACS5.4 patch to address upgrade issue for defect "CSCum04132"
-Pointed-PreUpgrade-CSCum04132-5-4-0-46-0a.tar.gpg
-Here is command to apply pointed patch - http://tools.cisco.com/squish/85363
3. Run database compress - http://tools.cisco.com/squish/A93F0
4. Perform application backup to be on the safer side - http://tools.cisco.com/squish/d9b2b
5. Once you are done with the above process, please apply the
‘ACS 5.5 Application Upgrade Package’ – ‘ACS_5.5.0.46.tar.gz’
download it from here - http://tools.cisco.com/squish/66c52
6. Doc. on Upgrading an ACS server from 5.4 to 5.5 - http://tools.cisco.com/squish/f6415
7. Apply ACS 5.5 patch 2
NOTE:
1. Please ensure that opt disk space should be below 30 percent (show tech | in opt)
2. TFTP is not supported. It’s recommeded to use FTP.
Hope this helps.
Regards,
Jatin Katyal
*Do rate helpful posts*
Similar Messages
-
Upgrade from ACS 5.4 patch 6 to ACS 5.5 patch 4 advice
Hi,
I have a pair of ACS 5.4 patch 6 running on VMWare as primary/secondary with Active Directory integration
working without any issues.
I would like to upgrade them to ACS 5.5 patch 4. Here is my plan:
1- De-register the Secondary ACS 5.4 patch 6
2- shutdow the de-register Secondary ACS 5.4 patch 6
2- Take a backup of the Stand-alone Primary ACS 5.4 patch 6
3- shutdown the Primary ACS 5.4 patch 6,
4- build a brand new ACS 5.5 with the same name and IP address as the previous Primary ACS 5.4 patch 6
5- patch the ACS 5.5 with patch 4,
6- perform a restore of the old ACS 5.4 patch 6 backup on the Primary ACS 5.5 patch 4,
7- Re-join the ACS 5.5 patch 4 with Active Directory,
8- build a brand new ACS 5.5 to be with the same name and IP address as the previous Secondary ACS 5.4 patch 6
9- patch the new Secondary ACS 5.5 to be with patch 4,
10- join the new Secondary ACS 5.5 patch 4 with Active Directory,
11- join the new ACS 5.5 patch 4 in step 4 as the Secondary ACS,
12- validate
Anyone see any issues with this? I used the same steps when I upgrade from ACS 5.2 patch 3 to ACS 5.4 patch 6
Thanks in advanceThank you for confirming this. I've had horrible experiences with in-place upgrade many times so I just do not trust the in-place upgrade.
I went back and look at my note and I think this will work, assume prod-acs1 is the Primary and prod-acs2 is the Secondary ACS:
a- de-register the prod-acs2
b- take a backup of prod-acs1
c- rebuild the prod-acs2 with the same hostname and IP address of the old prod-acs2 for ACS 5.5 patch 4
d- do a restore on prod-acs2 with the backup in step b,
e- re-register prod-acs2 with Active Directory. Now I have two instances of prod-acs1 and prod-acs2 with different databases but it still works because network devices on the don't know that.
f- validate that prod-acs2 is working properly by shutting down prod-acs1
h- Once prod-acs2 is working properly, rebuild prod-acs1,
i- re-register prod-acs1 with Active Directory,
j- join prod-acs1 as Secondary ACS to prod-acs2,
k- validate that proc-acs1 is working properly by shutting down prod-acs2,
l- now make prod-acs1 Primary and prod-acs2 Secondary,
I just want to make sure that I can "restore" ACS backup from 5.4 patch 6 to ACS 5.5 patch 4 without any issues.
comments? -
Cannot upgrade serial number after download. 'This serial number is not for a qualifying product'. Trying to upgrade from ACS 5.5 Design Premium to ACS 6 Design Standard
start the installation of design premium cs5.5 just to make sure you're using the correct serial number. once your serial number is accepted you'll see a screen giving you the option to install none, some or all of the cs5.5 programs. at that point you can quit and not install anything having verified your cs5.5 serial number if you want nothing cs5.5 on your computer.
on the other hand, if your cs5.5 serial number is not accepted, you'll pinpoint the problem.
or, if your cs5.5 number is accepted, you could install a cs5.5 program and then install cs6. it should recognize you have a cs5.5 program installed and NOT prompt you for you cs5.5 serial number allowing you to continue with your cs6 installation. -
Upgrade to ACS version 5.5 and license
We plan to upgrade Cisco ACS from 5.3 to 5.5.
Do you need to reinstall the license file ? Can the same license file from 5.3 used for 5.5 ?Edward told you what you need to do.
keep the license file with you just in case. bad things always happen.
But usually if upgrade is done successfully you don't have to provide the license again.
Rating useful replies is more useful than saying "Thank you" -
Hello friends, I want to upgrade a ACS 5.0 to a 5.1 and then to the 5.2 version but in the upgrading instructions there's a command line that I don't get, it is:
acs patch install patch-name.tar.gpg repository repository-name
I don´t know what is this repository-name and if it is a repository that I need to create. I can download the files for the installation (The patch and the ADE upgrade) but I don't know how to place them into the ACS appliance ( if that's the case).
Thanks in advance.
Atte. Jonás DíazUpgrading from 5.0 -> 5.1 does not use the 'acs patch install' command it requires reimaging to a new version and restoring a backup from the previous version (you will have to do it twice to get to 5.2):
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_upg.html#wp1187611
So you will need to burn a couple DVDs and setup a repository on an FTP server so you can export your backups of your configuration. A repository can be setup via UI or CLI:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/admin_operations.html#wp1053155
-Elly -
What's the right procedure to upgrade from ACS 5.1 to 5.3
Hi folks,
What would be the right procedure to upgrade ACS 5.1 to 5.3 ?
Our client needs to a smooth upgrade to the latest and greatest 5.3 version. The plan is use a backup made on 5.1 and install it on the new system.
Should the new system be running version 5.1 or I can start with 5.2 to save time for the upgrade?
EugeneThe patch 2 installation went OK, failing on the restore part.
The database file is 206 MB of size. Isn't it too much to pull over FTP?
ACS53/admin# restore DB_Backup-120320-1607.tar.gpg repository REPO
Restore requires a reboot to successfully complete. Continue? (yes/no) [yes] ?
% Failure occurred during request
And the FTP server doesn't report any error. The connection is made and closes:
20:53:43 192.168.1.160 [8]USER boss 331 0
20:53:43 192.168.1.160 [8]PASS - 230 0
20:53:52 192.168.1.160 [8]sent /DB_Backup-120320-1607.tar.gpg 226 0
20:53:52 192.168.1.160 [8]QUIT - 226 0
Any ideas ? -
[ACS 5.2] Upgrade to ACS 5.4
Hi,
We got 2 Cisco ACS 5.2.0.26.10.
Primary server as authentication server and log collector
Secondary server as authentication server. Replication is configured.
I read the following guide: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1194934
"There are some exceptions to this usual setup, which you can handle as described below:
If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "
This exception matches with my case. I have to promote my secondary server as primary.
I would have :
Secondary server as authentication server and log collector
Primary server as authentication server
Now, I think I have to deregister secondary from primary server....
According to the guide, I have to upgrade the log collector server.
"Step 1: Choose any secondary server to become a log collector:"
I dont have another secondary server...
What should I do now? (upgrade secondary/log server? upgrade primary server? ... )
This guide supposed that I have 2 secondary and 1 primary ...
I dont know which steps to follow....
Thanks for your help,
PatrickYou have a requets open to TAC and so you will get their guidance
Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4
For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.
1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)
2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)
At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)
Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one
writing this I can see it is hard to explain. Am sure TAC will do better -
Hi,
Iam using a Cisco ACS box with 4.2 version of OS. So can i upgrade the OS to 5.2 directly to the same box.> We are using SAP 4.7 Ext2 in Solaris 9 OS. My client is planning to upgrade Solaris 10 from existing Solaris 09. I suggested to perform a homogeneous system copy. But the client does not want to go for it. His proposed strategy is to upgrade Solaris 9 to Solaris 10 keeping the SAP file system intact. Is it feasible to upgrade the OS like this without performing a homogeneous system copy? If it is possible then what are the precautions have to be taken and what OS level configurations have to be chenged after the upgradation. Kindly acknoweledge me about it as I am naive to this.
This is possible; you can do either a "normal upgrade" (by inserting the Solaris 10 DVD and do the upgrade) or you can do a LiveUpgrade that can be done during uptime of the system. The switch to the new OS is then done by rebooting the machine.
All that is well documented at http://docs.sun.com
Markus -
No TACACS+ Administration Reports after upgrade to ACS 4.1
Hi,
I was running ACS 4.0 demo version. Everything was running fine.
After upgrading and keeping the old configuration, I can't see logs in the TACACS+ Administration Reports. I kept the configurations on the router and switch the same, so I believe that the problem resides in the ACS software.
I tested some debug, and it seems that the router is sending the command that is being typed to ACS.
Here is the config I?m using:
aaa new-model
tacacs-server host 192.168.X.X key XXXXXXXXXXX
aaa authentication login telnet group tacacs+ enable
aaa authentication login console enable
aaa authentication enable default group tacacs+ enable
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection telnet start-stop group tacacs+
line con 0
authorization exec NO-AUTH
login authentication console
line vty 0 4
authorization exec AUTH
login authentication telnet
aaa authorization exec AUTH group tacacs+ none
aaa authorization config-commands
aaa authorization exec NO-AUTH none
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ noneHi,
This is a known issue, you need to apply patch ACS 4.1.1.23.5 to fix the issue.
Patch for appliance is availble on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
Patch name : ACS SE 4.1.1.23.5 accumulative patch
Patch for acs windows is availble on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Patch Name : ACS 4.1.1.23.5 accumulative patch
That should fix the issue,
Regards,
Jagdeep
Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it. -
Good morning all,
Awhile ago, we started using ACS with an LDAP external database thus elimating the need for an ACS agent. However, we have created some custom scripts that incorporate some logging from the ACS agent. So although we started sendign log files to a Advent Syslog server, we need to send them to a windows file that will put them in the old .csv format.
Here is my questions:
Can I upgrade the OS on Cisco Remote Agent from a Windows 2000 to Windows XP or Windows 2003 server? And how do I configure it to strictly dump log files to it?
Thank you
DwaneHi Dwane,
We cannot install Remote agent on XP so we need to use win2003 OS. Here is the link that explains about setting up remote logging.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/user/guide/r.html#wp601043
Let me know if you have any question.
Regards,
~JG
Do rate helpful posts -
Upgrading an ACS Server from 5.0 to 5.1
I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory . it's seem that in my curent version AD is not supported !
I try to do it by CLI
what CLi command I use and what patch ?
Thanks !in the monitoring and report I have this
AAA Protocol > TACACS+ Authentication
Authentication Status :
Pass or Fail
Date :
December 09, 2009
Dec 9,09 11:52:20.200 AM
13029 Requested privilege level too high
admin.ad
switch
Device Type:All Device Types, Location:All Locations
Default Device Admin
AD1
Thanks ! -
TACACS "fail unknown users" after upgrade to ACS 3.3
Basic config issue is :
1) User Account is added to ACS 3.3
2) User Account is added to Group with correct Privilege Levels
3) User Password Authentication: is listed as "Windows Database"
4) TACACS+ Enable Control: is set to user group settings
5) And TACACS+ Enable is also set to "Windows Database"
In External DB all windows Domains are listed (but not down to specific group mapping)
Here is the problem, every thing works fine.
Users can log onto router in User mode (using domain password) & change to EN mode (using domain password)
As long as the "Unknown user policy" is set to check against "Windows". this works.
But if it is set to "fail Unknown users" then no one can gain accessHi Michael,
We opened a TAC case ans was given the following info;
CSCef84196
First Found-in Version 3.3(1)
Symptom:
users created on acs but mapped to external DB manually fail authentication
Condition:
-this happens when unkown user policy is set to fail authentication attempt.
Workaround:
- set unkown policy to check external database.
if dynamic users aren't desired to authenticate, you can map the external DB to a disabled group.
and put the manually mapped users in an enabled group.
Ther is no fix available yet! -
Hello at all.
I'm restoring a 5.3 backup to a new ACS 5.5 patch 3.
Restore procedure works fine but when I restart the server service runtime doesn't restart.
acsuno/admin# sh app stat acs
ACS role: PRIMARY
Process 'database' running
Process 'management' running
Process 'runtime' not monitored
Process 'ntpd' running
Process 'view-database' running
Process 'view-jobmanager' running
Process 'view-alertmanager' running
Process 'view-collector' running
Process 'view-logprocessor' running
This is the end of debug log file...
Daemon,13/06/2014,18:52:37:455,ERROR,3086411504,rt_daemon init failed,RTDaemon.cpp:325
Daemon,13/06/2014,18:52:37:455,ERROR,3086411504,ConfigNotificationFlow::waitStart: unable to load configuration: fatal error,RTDaemon.cpp:326
Daemon,13/06/2014,18:52:37:455,ERROR,3086411504,rc = 4,RTDaemon.cpp:327
Any ideas?
Many thanks.
Regards.
AndreaHi,
Manually restart the runtime process from the CLI and rebooting the appliance resolves this issue.
In order to restart the runtime processes manually, issue these commands from the ACS CLI
- acs stop runtime
- acs start runtime -
How to upgrade the patches in ACS 5.1
I want to upgrade the acs 5.1 in distributed system. We have one hub/ primary ACS and two other spoke / secodary acs. I have following querry.
Will it be possible to upgrad only one Secondary server.>
Will updated secondary ACS will able to sych it configuration with primary acs running on older version?
Will updated secondary acs will retain the current configuration and authenticate the client.?Current version of ACS system is 5.1.0.44
Primary ACS is also working as log collector.
I have downloaded the patch 5.1.0.44.6.rar.rar, so i belive i should rename it to 5.1.0.44.6.tar.gpg.
so if i want to upgrade my ACS system:
I will have to do following steps:
de-register secondary ACS from primary and take the backup of secondary ACS
update the patch using repository.
finally i will have to upgrade the primary ACS.
I would like to know what is the difference between installing / updating patch and Upgrade the ADE-OS version which is shown as second step in cisco.com site. -
i want to upgrade my acs server version from 4.1 to latestonline, how can i do that(steps) i also tried the patch but couldnt as my user account dont have service level aggreement
If you're trying to upgrade an ACS for Windows, you would be required a software contract in order for TAC to be able to post the required files.
The latest version for ACS (Windows) is 4.2.0.124 Patch 11.
TAC new case tool:
http://tools.cisco.com/ServiceRequestTool/create/launch.do
Maybe you are looking for
-
In CRM Date stored in std table is in YYYYMMDDhhmmss format.
Hello, Can any one guide me on how to convert this YYYYMMDDhhmmss date format to normal system date format sy-datum. All orders in CRM are storing order changed date & created date in this format. Same field type cannot be used in any selection s
-
Connecting PCI-6035E and SCB-68 and control a laser to turn on/off
I have connected SCB-68 to a 15pin cable and connected to a laser. From computer I have connected PCI-6035E board to SCB-68 to control a Laser to turn on and off from a LabVIEW program. I have connected PIN#, 6,7, 14 from SCB-68 to 15pin connecter ca
-
Post Author: SpikeTech CA Forum: General I am looking for a way to export reports written in vb6 to pdf. The version of CR in VB 6 is 4.6 which I believe does not pdf export but I believe the later versions of CR support pdf export but dont support V
-
I've bought an optical super drive for a macbook air but although I can hear there is power I can't see the drive in menus
-
For those old-schoolers of you out there, is it possible to migrate procedures, triggers, Oracle forms and general SQL DDL/DML scripts (not actual DB data) developed on XE 10g to Oracle Standard Edition 9? What about ver. 8? I am developing a databas