topic Cisco ACS 5.3 patch 8 OPT Volume in Network Access Control

Cisco ACS 5.3 patch 8 OPT Volume

Rogelio Mercado — Mon, 11 Mar 2019 03:24:59 GMT

Hello,

We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.

The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.

In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.

This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.

Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.

The questions I have is:

At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?

Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?

We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.

We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.

Thanks,

Re: Cisco ACS 5.3 patch 8 OPT Volume

Jatin Katyal — Fri, 10 May 2013 01:40:01 GMT

In distributed setup, its recommended to configure a dedicated secondary server as a log collector. However you've a large deployment so I'm sure authentication rate would be high too causing view-database size keep on increasing.

In order to prevent running out of disk space we need to manage it. That means identifying the files that are created and written to by processes on the system, allocating a space budget to them such that if the files stay within their budget all services can be supported without interruption, and then defining and implementing facilities to keep those files within their budget.

There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.

1. Purge: In this mechanism the data will be purged based on the configured data retention period or upon reaching the upper limit of the database. In Patch 6 new option provided to do on demand purge as well.

2. Compress: This mechanism frees up unused space in the database without deleting any records. Before the compress option could only be run manually. In ACS 5.3 Patch 6 there are enhancements so it will run daily at a predefined time, automatically when specific criteria are met.

At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?

TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.

Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?

It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html

- Please use System Administration > Configuration > Log Configuration > Logging Categories > Global To configure sending only the required logs to the ACS View log-collector.

- Provide the fresh screenshot of the page Monitoring Configuration > System Operations > Data Management > Removal and Backup.

- With the below listed command you can check the actual and physical size of the MnT database

acs-config

Username: acsadmin

Password: ***********

acsview show-dbsize

There are few known defects on the same issue. However, the version you're running improves database management processes.

CSCto47203: ACS 5 runs out of disk space

CSCua51804: View backup fails even when there is space in disk

Jatin Katyal

- Do rate helpful posts -

Cisco ACS 5.3 patch 8 OPT Volume

Rogelio Mercado — Fri, 10 May 2013 17:39:21 GMT

thanks for the reply.

So then it looks the best course of action would be to upgrade to ACS 5.4 to take advantage of the data purging and data compression enhancements.

We are going to be adding 3 more ACS appliances in next few months. So our OPT volume issue will just be getting worse.

Is there any know issues with upgrading using the "Upgrading an ACS Server Using the Application Upgrade Bundle" path?

Roy

Cisco ACS 5.3 patch 8 OPT Volume

Jatin Katyal — Fri, 10 May 2013 17:56:13 GMT

No doubt. There are no known issues with the upgrade however there are couple of points that need to be keep in mind while upgrading to ACS 5.4

Upgrading an ACS Server using the Application Upgrade Bundle

Reimaging and Upgrading an ACS Serve

You can only perform an application upgrade bundle, on either a Cisco appliance or a virtual machine, if the disk size is greater than or equal to 500 GB. If you have a smaller disk size, you need to reimage to ACS 5.4 followed by a restore of the backup taken in ACS 5.3 version to trigger the upgrade.

When you upgrade from ACS 5.3 to 5.4, it is mandatory to install ACS 5.3 latest patch prior to the upgrade or the upgrade may fail. If you use the version prior to ACS 5.3.0.40.6, then you might hit an error and the upgrade will not proceed. Note that ACS 5.4 does not include all fixes that are included in 5.3.0.40.8. Therefore, if any of these fixes in 5.3.0.40.8 are required in your deployment, then you should install patch 5.4.0.46.1 after you upgrade to ACS 5.4. Patch 2 is also available now to add windows 2012 support.

Installation guide

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html

Release notes:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html

Hope this answers.

Jatin Katyal

- Do rate helpful posts -

Cisco ACS 5.3 patch 8 OPT Volume

Jatin Katyal — Fri, 10 May 2013 18:05:47 GMT

You may also go through this post the acs 5.4 experience being discussed few days ago.

https://supportforums.cisco.com/message/3781934#3781934

Jatin Katyal

- Do rate helpful posts -

Cisco ACS 5.3 patch 8 OPT Volume

Rogelio Mercado — Fri, 10 May 2013 18:12:42 GMT

Thanks for the information.

We are currently at version 5.3.0.40.8 and have 500 gb thick drive for our VM apliances.

We wilI move forward with upgrading to ACS 5.4 patch 2 to help remedy the OPT volume issue.

Thanks again,

Rogelio Mercado

Cisco ACS 5.3 patch 8 OPT Volume

Jatin Katyal — Fri, 10 May 2013 18:17:00 GMT

Sounds good!!! Have a nice day ahead

Jatin Katyal

- Do rate helpful posts -