https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665916#M421310 <HTML><HEAD></HEAD><BODY><P>Cool, I have attached a screen shot of both servers registry entries. They are different.</P><P></P><P> </P><P></P></BODY></HTML> Thu, 15 Mar 2007 15:06:39 GMT mapones 2007-03-15T15:06:39Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665912#M421305 <P>I just upgraded to 3.3.4 and I am seeing a problem with the replication. I have two ACS servers and they are authenticating to a CrytoCard Server. So I configured the external DB on both servers to point to it. I have users created and they are pointed to that external DB. Everything works perfect, even the failover if I shut the services on the primary server. </P><P></P><P>However when I replicate the failover does not work any more. What I see is if I look at a user on the backup server the Password Authentication section for all the users is "Unknown Radius Server". I can select the CryptoCard server and it all works fine again.</P><P></P><P>Any ideas how I can fix/troubleshoot this?</P><P></P><P>Any help would be appreciated. TAC is working on it also, but I wanted to see if anyone else has experianced this problem.</P><P></P><P>BTW this is running on a windows server...</P> Sun, 10 Mar 2019 22:02:33 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665912#M421305 mapones 2019-03-10T22:02:33Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665913#M421307 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have seen this problem couple of times. This is caused because ACS refers to the database by numbers internally.</P><P></P><P>So when the primary server replicates to the secondary it sets the user to authenticate to say "Database 2". On the secondary the Crytocard maybe at "Database 1". So everytime there is a replication, the user on the secondary server starts pointing to "Database 2" instead of "Database 1".</P><P></P><P>One workaround to this is to create another database pointing to the same cryptocard and see if the the new one lands in the right number.</P><P></P><P>HTH </P><P></P><P>Regards,</P><P>Vivek</P></BODY></HTML> Thu, 15 Mar 2007 14:45:14 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665913#M421307 Vivek Santuka 2007-03-15T14:45:14Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665914#M421308 <HTML><HEAD></HEAD><BODY><P>Very interesting and it makes sence. Is there a way to see what number each server thinks the DB is?</P></BODY></HTML> Thu, 15 Mar 2007 14:49:11 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665914#M421308 mapones 2007-03-15T14:49:11Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665915#M421309 <HTML><HEAD></HEAD><BODY><P>Since we are on 3.x the following registry entry should give us an indication :-</P><P></P><P>HKLM\SOFTWARE\Cisco\CiscoAAAv3.3\Authenticators\Libraries\30</P><P></P><P>30 is for the Radius Token Servers. Under 30 you will find entries such as "00","01" etc.. This is the database "number" I was referring to.</P><P></P><P>If we are using ACS Solution Engine then we need to create a package.cab file from System Configuration-&gt;Support. The package.cab file will have ACS.reg</P><P></P><P>Regards,</P><P>Vivek</P><P></P></BODY></HTML> Thu, 15 Mar 2007 14:58:43 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665915#M421309 Vivek Santuka 2007-03-15T14:58:43Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665916#M421310 <HTML><HEAD></HEAD><BODY><P>Cool, I have attached a screen shot of both servers registry entries. They are different.</P><P></P><P> </P><P></P></BODY></HTML> Thu, 15 Mar 2007 15:06:39 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665916#M421310 mapones 2007-03-15T15:06:39Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665917#M421311 <HTML><HEAD></HEAD><BODY><P>Yup, numbering problem.</P><P></P><P>On the secondary we need to create a new Radius Token Server Entry while keeping the old one intact.</P><P></P><P>Configure the new entry exactly like the old one except the name.</P><P></P><P>That will resolve the problem <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Regards,</P><P>Vivek</P></BODY></HTML> Thu, 15 Mar 2007 15:11:40 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665917#M421311 Vivek Santuka 2007-03-15T15:11:40Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665918#M421312 <HTML><HEAD></HEAD><BODY><P>Once I create that can I remove the old one so there will be no confusion down the road?</P></BODY></HTML> Thu, 15 Mar 2007 15:15:17 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665918#M421312 mapones 2007-03-15T15:15:17Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665919#M421313 <HTML><HEAD></HEAD><BODY><P>I think we can delete the old database entry because ACS will not reindex the numbers but am not very sure about this one.</P><P></P><P>Regards,</P><P>Vivek</P></BODY></HTML> Thu, 15 Mar 2007 15:16:30 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665919#M421313 Vivek Santuka 2007-03-15T15:16:30Z https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665920#M421314 <HTML><HEAD></HEAD><BODY><P>YOU ROCK, that is it. Plus I was able to delete the old entry so and the index number stayed. Everything is working correctly with the replication now.</P><P></P><P>THANKS A TON.</P></BODY></HTML> Thu, 15 Mar 2007 15:29:55 GMT https://community.cisco.com/t5/network-access-control/replication-problems-v3-3-4/m-p/665920#M421314 mapones 2007-03-15T15:29:55Z