Upgrade of ACS 5.4 to 5.5

Similar Messages

• Upgrade from ACS 5.4 patch 6 to ACS 5.5 patch 4 advice

  Hi,
  I have a pair of ACS 5.4 patch 6 running on VMWare as primary/secondary with Active Directory integration
  working without any issues.
  I would like to upgrade them to ACS 5.5 patch 4.  Here is my plan:
  1- De-register the Secondary ACS 5.4 patch 6
  2- shutdow the de-register Secondary ACS 5.4 patch 6
  2- Take a backup of the Stand-alone Primary ACS 5.4 patch 6
  3- shutdown the Primary ACS 5.4 patch 6,
  4- build a brand new ACS 5.5 with the same name and IP address as the previous Primary ACS 5.4 patch 6
  5- patch the ACS 5.5 with patch 4,
  6- perform a restore of the old ACS 5.4 patch 6 backup on the Primary ACS 5.5 patch 4,
  7- Re-join the ACS 5.5 patch 4 with Active Directory,
  8- build a brand new ACS 5.5 to be with the same name and IP address as the previous Secondary ACS 5.4 patch 6
  9- patch the new Secondary ACS 5.5 to be with patch 4,
  10- join the new Secondary ACS 5.5 patch 4 with Active Directory,
  11- join the new ACS 5.5 patch 4 in step 4 as the Secondary ACS,
  12- validate
  Anyone see any issues with this?  I used the same steps when I upgrade from ACS 5.2 patch 3 to ACS 5.4 patch 6
  Thanks in advance

  Thank you for confirming this.  I've had horrible experiences with in-place upgrade many times so I just do not trust the in-place upgrade.
  I went back and look at my note and I think this will work, assume prod-acs1 is the Primary and prod-acs2 is the Secondary ACS:
  a- de-register the prod-acs2
  b- take a backup of prod-acs1
  c- rebuild the prod-acs2 with the same hostname and IP address of the old prod-acs2 for ACS 5.5 patch 4
  d- do a restore on prod-acs2 with the backup in step b,
  e- re-register prod-acs2 with Active Directory.  Now I have two instances of prod-acs1 and prod-acs2 with different databases but it still works because network devices on the don't know that.
  f- validate that prod-acs2 is working properly by shutting down prod-acs1
  h- Once prod-acs2 is working properly, rebuild prod-acs1,
  i- re-register prod-acs1 with Active Directory,
  j- join prod-acs1 as Secondary ACS to prod-acs2,
  k- validate that proc-acs1 is working properly by shutting down prod-acs2,
  l- now make prod-acs1 Primary and prod-acs2 Secondary,
  I just want to make sure that I can "restore" ACS backup from 5.4 patch 6 to ACS 5.5 patch 4 without any issues.
  comments?

• CAnnot upgrade serial number after download. 'This serial number is not for a qualifying product'. Trying to upgrade from ACS 5.5 Design Premium to ACS 6 Design Standard

  Cannot upgrade serial number after download. 'This serial number is not for a qualifying product'. Trying to upgrade from ACS 5.5 Design Premium to ACS 6 Design Standard

  start the installation of design premium cs5.5 just to make sure you're using the correct serial number.  once your serial number is accepted you'll see a screen giving you the option to install none, some or all of the cs5.5 programs.  at that point you can quit and not install anything having verified your cs5.5 serial number if you want nothing cs5.5 on your computer.
  on the other hand, if your cs5.5 serial number is not accepted, you'll pinpoint the problem.
  or, if your cs5.5 number is accepted, you could install a cs5.5 program and then install cs6.  it should recognize you have a cs5.5 program installed and NOT prompt you for you cs5.5 serial number allowing you to continue with your cs6 installation.

• Upgrade to ACS version 5.5 and license

  We plan to upgrade Cisco ACS from 5.3 to 5.5.
  Do you need to reinstall the license file ? Can the same license file from 5.3 used for 5.5 ?

  Edward told you what you need to do.
  keep the license file with you just in case. bad things always happen.
  But usually if upgrade is done successfully you don't have to provide the license again.
  Rating useful replies is more useful than saying "Thank you"

• Upgrade process ACS

  Hello friends, I want to upgrade a ACS 5.0 to a 5.1 and then to the 5.2 version but in the upgrading instructions there's a command line that I don't get, it is:
  acs patch install patch-name.tar.gpg repository repository-name
  I don´t know what is this repository-name and if it is a repository that I need to create. I can download the files for the installation (The patch and the ADE upgrade) but I don't know how to  place them into the ACS appliance ( if that's the case).
  Thanks in advance.
  Atte. Jonás Díaz

  Upgrading from 5.0 -> 5.1 does not use the 'acs patch install' command it requires reimaging to a new version and restoring a backup from the previous version (you will have to do it twice to get to 5.2):
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_upg.html#wp1187611
  So you will need to burn a couple DVDs and setup a repository on an FTP server so you can export your backups of your configuration. A repository can be setup via UI or CLI:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/admin_operations.html#wp1053155
  -Elly

• What's the right procedure to upgrade from ACS 5.1 to 5.3

  Hi folks,
  What would be the right procedure to upgrade ACS 5.1 to 5.3 ?
  Our client needs to a smooth upgrade to the latest and greatest 5.3 version. The plan is use a backup made on 5.1 and install it on the new system.
  Should the new system be running version 5.1 or I can start with 5.2 to save time for the upgrade?
  Eugene

  The patch 2 installation went OK, failing on the restore part.
  The database file is 206 MB of size. Isn't it too much to pull over FTP?
  ACS53/admin# restore DB_Backup-120320-1607.tar.gpg repository REPO
  Restore requires a reboot to successfully complete. Continue? (yes/no) [yes] ?
  % Failure occurred during request
  And the FTP server doesn't report any error. The connection is made and closes:
  20:53:43 192.168.1.160 [8]USER boss 331 0
  20:53:43 192.168.1.160 [8]PASS - 230 0
  20:53:52 192.168.1.160 [8]sent /DB_Backup-120320-1607.tar.gpg 226 0
  20:53:52 192.168.1.160 [8]QUIT - 226 0
  Any ideas ?

• [ACS 5.2] Upgrade to ACS 5.4

  Hi,
  We got 2 Cisco ACS 5.2.0.26.10.
  Primary server as authentication server and log collector
  Secondary server as authentication server. Replication is configured.
  I read the following guide: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1194934
  "There are some exceptions to this usual setup, which you can handle as described below:
  If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "
  This exception matches with my case. I have to promote my secondary server as primary.
  I would have :
  Secondary server as authentication server and log collector
  Primary server as authentication server
  Now, I think I have to deregister secondary from primary server....
  According to the guide, I have to upgrade the log collector server.
  "Step 1: Choose any secondary server to become a log collector:"
  I dont have another secondary server...
  What should I do now? (upgrade secondary/log server? upgrade primary server? ... )
  This guide supposed that I have 2 secondary and 1 primary ...
  I dont know which steps to follow....
  Thanks for your help,
  Patrick

  You have a requets open to TAC and so you will get their guidance
  Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4
  For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.
  1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)
  2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)
  At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)
  Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one
  writing this I can see it is hard to explain. Am sure TAC will do better

• Upgradation of ACS OS

  Hi,
  Iam using a Cisco  ACS box with 4.2 version of OS. So can i upgrade the OS to 5.2 directly to the same box.

  > We are using SAP 4.7 Ext2 in Solaris 9 OS. My client is planning to upgrade Solaris 10 from existing Solaris 09. I suggested to perform a homogeneous system copy. But the client does not want to go for it. His proposed strategy is to upgrade Solaris 9 to Solaris 10 keeping the SAP file system intact. Is it feasible to upgrade the OS like this without performing a homogeneous system copy? If it is possible then what are the precautions have to be taken and what OS level configurations have to be chenged after the upgradation. Kindly acknoweledge me about it as I am naive to this.
  This is possible; you can do either a "normal upgrade" (by inserting the Solaris 10 DVD and do the upgrade) or you can do a LiveUpgrade that can be done during uptime of the system. The switch to the new OS is then done by rebooting the machine.
  All that is well documented at http://docs.sun.com
  Markus

• No TACACS+ Administration Reports after upgrade to ACS 4.1

  Hi,
  I was running ACS 4.0 demo version. Everything was running fine.
  After upgrading and keeping the old configuration, I can't see logs in the TACACS+ Administration Reports. I kept the configurations on the router and switch the same, so I believe that the problem resides in the ACS software.
  I tested some debug, and it seems that the router is sending the command that is being typed to ACS.
  Here is the config I?m using:
  aaa new-model
  tacacs-server host 192.168.X.X key XXXXXXXXXXX
  aaa authentication login telnet group tacacs+ enable
  aaa authentication login console enable
  aaa authentication enable default group tacacs+ enable
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection telnet start-stop group tacacs+
  line con 0
  authorization exec NO-AUTH
  login authentication console
  line vty 0 4
  authorization exec AUTH
  login authentication telnet
  aaa authorization exec AUTH group tacacs+ none
  aaa authorization config-commands
  aaa authorization exec NO-AUTH none
  aaa authorization commands 0 default group tacacs+ none
  aaa authorization commands 1 default group tacacs+ none
  aaa authorization commands 15 default group tacacs+ none

  Hi,
  This is a known issue, you need to apply patch ACS 4.1.1.23.5 to fix the issue.
  Patch for appliance is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  Patch name : ACS SE 4.1.1.23.5 accumulative patch
  Patch for acs windows is availble on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
  Patch Name : ACS 4.1.1.23.5 accumulative patch
  That should fix the issue,
  Regards,
  Jagdeep
  Note: If that answers your question, then please mark this thread as resolved, so that others can benefit from it.

• Upgrade the ACS agent OS

  Good morning all,
  Awhile ago, we started using ACS with an LDAP external database thus elimating the need for an ACS agent.  However, we have created some custom scripts that incorporate some logging from the ACS agent. So although we started sendign log files to a Advent Syslog server, we need to send them to a windows file that will put them in the old .csv format.
  Here is my questions:
  Can I upgrade the OS on Cisco Remote Agent from a Windows 2000 to Windows XP or Windows 2003 server?  And how do I configure it to strictly dump log files to it?
  Thank you
  Dwane

  Hi Dwane,
  We cannot install Remote agent on XP so we need to use win2003 OS. Here is the link that explains about setting up remote logging.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/user/guide/r.html#wp601043
  Let me know if you have any question.
  Regards,
  ~JG
  Do rate helpful posts

• Upgrading an ACS Server from 5.0 to 5.1

  I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory .  it's seem that  in my curent version AD is not supported !
  I try to do it by CLI
  what CLi command I use and what patch ?
  Thanks !

  in the monitoring and report I have this
  AAA Protocol > TACACS+ Authentication
  Authentication Status :
  Pass or Fail
  Date :
  December 09, 2009
  Dec 9,09 11:52:20.200 AM
  13029 Requested privilege level too high
  admin.ad
  switch
  Device Type:All Device Types, Location:All Locations
  Default Device Admin
  AD1
  Thanks !

• TACACS "fail unknown users" after upgrade to ACS 3.3

  Basic config issue is :
  1) User Account is added to ACS 3.3
  2) User Account is added to Group with correct Privilege Levels
  3) User Password Authentication: is listed as "Windows Database"
  4) TACACS+ Enable Control: is set to user group settings
  5) And TACACS+ Enable is also set to "Windows Database"
  In External DB all windows Domains are listed (but not down to specific group mapping)
  Here is the problem, every thing works fine.
  Users can log onto router in User mode (using domain password) & change to EN mode (using domain password)
  As long as the "Unknown user policy" is set to check against "Windows". this works.
  But if it is set to "fail Unknown users" then no one can gain access

  Hi Michael,
  We opened a TAC case ans was given the following info;
  CSCef84196
  First Found-in Version 3.3(1)
  Symptom:
  users created on acs but mapped to external DB manually fail authentication
  Condition:
  -this happens when unkown user policy is set to fail authentication attempt.
  Workaround:
  - set unkown policy to check external database.
  if dynamic users aren't desired to authenticate, you can map the external DB to a disabled group.
  and put the manually mapped users in an enabled group.
  Ther is no fix available yet!

• Upgrading an ACS deployment from 5.3 to 5.5, runtime service doesn't restart.

  Hello at all.
  I'm restoring a 5.3 backup to a new ACS 5.5 patch 3.
  Restore procedure works fine but when I restart the server service runtime doesn't restart.
  acsuno/admin# sh app stat acs
  ACS role: PRIMARY
  Process 'database'                  running
  Process 'management'                running
  Process 'runtime'                   not monitored
  Process 'ntpd'                      running
  Process 'view-database'             running
  Process 'view-jobmanager'           running
  Process 'view-alertmanager'         running
  Process 'view-collector'            running
  Process 'view-logprocessor'         running
  This is the end of debug log file...
  Daemon,13/06/2014,18:52:37:455,ERROR,3086411504,rt_daemon init failed,RTDaemon.cpp:325
  Daemon,13/06/2014,18:52:37:455,ERROR,3086411504,ConfigNotificationFlow::waitStart: unable to load configuration: fatal error,RTDaemon.cpp:326
  Daemon,13/06/2014,18:52:37:455,ERROR,3086411504,rc = 4,RTDaemon.cpp:327
  Any ideas?
  Many thanks.
  Regards.
  Andrea

  Hi,
  Manually restart the runtime process from the CLI and rebooting the appliance resolves this issue.
  In order to restart the runtime processes manually, issue these commands from the ACS CLI
  - acs stop runtime
  - acs start runtime

• How to upgrade the patches in ACS 5.1

  I want to upgrade the acs 5.1 in distributed system. We have one hub/ primary ACS and two other spoke / secodary acs. I have following querry.
  Will it be possible to upgrad only one Secondary server.>
  Will updated secondary ACS will able to sych it configuration with primary acs running on older version?
  Will updated secondary acs will retain the current configuration and authenticate the client.?

  Current version of ACS system is 5.1.0.44
  Primary ACS is also working as log collector.
  I have downloaded the patch 5.1.0.44.6.rar.rar, so i belive i should rename it to 5.1.0.44.6.tar.gpg.
  so if i want to upgrade my ACS system:
  I will have to do following steps:
  de-register secondary ACS from primary and take the backup of secondary ACS
  update the patch using repository.
  finally i will have to upgrade the primary ACS.
  I would like to know what is the difference between installing / updating  patch and  Upgrade the ADE-OS version which is shown as second step in cisco.com site.

• ACS 4.1 Upgrade

  i want to upgrade my acs server version from 4.1 to latestonline, how can i do that(steps) i also tried the patch but couldnt as my user account dont have service level aggreement

  If you're trying to upgrade an ACS for Windows, you would be required a software contract in order for TAC to be able to post the required files.
  The latest version for ACS (Windows) is 4.2.0.124 Patch 11.
  TAC new case tool:
  http://tools.cisco.com/ServiceRequestTool/create/launch.do