01-11-2012 08:32 AM - edited 03-10-2019 06:42 PM
have an issue with my ACS 3.3 TACACS server. All of a sudden when I add Administrators for the web interface, it does not save their privileges, such as Add/Edit users, TACACS Accounting Logs, etc. None of the check boxes stay checked. I have tried stopping and restarting the ACS services with no change. Has anyone seen this behavior?? Any help is appreciated.
01-11-2012 09:52 AM
Hello Adam,
ACS 3.3 is an old version and the best approach would be to upgrade to a supported version of ACS. For example 4.2.0.124 or 4.2.1.15.
Also, a possible reason when experiencing those type of issues is the JAVA Version or Browser Version. If you are using a newer version of JAVA you might start facing those type of issues.
Please try with older JAVA versions and older Web Browser Versions and verify if the issue persists.
Hope this helps.
Regards.
01-11-2012 10:12 AM
Hello Carlos,
Thanks for the response. Unfortunately I am in the middle of upgrading to ACS 5.3 and have to maintain this production server until it is completed. I have several other identical 3.3 servers that do not have this issue with the checkboxes under Administration Control, when setting up admins. I have tried with Firefox and IE6 and the same issues persists. Again I can add an admin account but it will not save any checkboxes that are enabled.
01-11-2012 10:35 AM
Adam,
Usually those type of issues are related to JAVA as the configuration for the Privilege of the ACS Admin Accounts runs over JAVA Applets. Also, the Submit and Cancel buttons use JAVA. Are you facing issues with the buttons as well?
Regards.
01-11-2012 10:39 AM
Hi Carlos,
No. I have no issues with the buttons. I am able to function normally in all other areas using buttons, checkboxes, etc. It is just the Administrative Control section where the checkboxes do not save a\for any new accounts.
01-11-2012 10:44 AM
Adam,
ACS 3.x and 4.x GUI issues are hard to troubleshoot. Is this an ACS for Windows? If yes, can you please go to System Configuration > Service Control > Logging Detail > Set it to Full.
At this point we need to recreate the issue a couple of times.
After recreating the issue please access the Windows Server using RDP and check the following path (or the applicable for your ACS installation): C:\Program Files\CiscoSecure ACS v4.2\CSAdmin\Logs. You might want to look for the ADMN.log which includes the GUI logging information.
Feel free to share the file with me after setting the ACS to Full Detail on logging and recreating the issue. Share an approx time to check on the logs as well.
Regards.
01-11-2012 11:04 AM
01-11-2012 11:32 AM
Another development. I just tried adding several new accounts as admins. The first one behaved as the previous, would not save any checkboxes. The second account I got the following error message:
I cnanot add any more admins to the server. This is very strange and has never happened before.
01-11-2012 11:39 AM
Seems it will not let me add more than 16 admin accounts, regardless if #16 is not complete.
01-11-2012 11:59 AM
Adam,
I have not been able to find any restriction on the max amount of Admin Accounts for ACS 3.3. I did not find any errors on the ADMN logs either.
As the ACS 3.3 is quite old, I have seen issues with the ACS Internal Database getting locked or "corrupted" on some cases. We might want to try compressing the ACS 3.3. database. I am including the process below:
Like many relational databases, the ACS internal database marks deleted records as deleted; but does not remove the records from the database. You can clean up the ACS internal database and remove all records marked for deletion by using the following CSUtil.exe options:
•-d—Export all ACS internal data to a text file, named dump.txt.
•-n—Create an ACS internal database and index.
•-l—Load all ACS internal data from the dump.txt file.
Additionally, if you want to automate this process, consider using the -q
option to suppress the confirmation prompts that otherwise appear before CSUtil.exe
performs the -n
and -l
options. This process does not necessarily reduce the size of the database.
Note Cleaning up the ACS internal database requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.
To clean up the ACS internal database:
Step 1 On the computer that is running ACS, open an MS-DOS command prompt and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see Location of CSUtil.exe and Related Files.
Step 2 If the CSAuth service is running, type:
net stop csauth
Press Enter.
The CSAuth service stops.
Step 3 Type:
CSUtil.exe -d -n -l
Press Enter.
Tip If you include the -q option in the command, CSUtil does not prompt you for confirmation of initializing or loading the database.
If you do not use the -q option, CSUtil.exe displays a confirmation prompt for initializing the database and then for loading the database. For more information about the effects of the -n option, see Initializing the ACS Internal Database. For more information about the effects of the -l option, see Loading the ACS Internal Database from a Dump File.
Step 4 For each confirmation prompt that appears, type Y and press Enter.
CSUtil.exe dumps all ACS internal data to dump.txt, initializes the ACS internal database, and reloads all ACS internal data from dump.txt. This process may take a few minutes.
Step 5 To resume user authentication, type:
net start csauth
Press Enter.
Please perform the above described process and try to create the account again.
Hope this helps.
Regards.
01-11-2012 12:31 PM
Ok thanks for the help. Will schedule after hours time to stop the server csauth service to run this utility. Will let you know.
01-12-2012 05:41 AM
Hi Carlos,
That did the trick. I ran the CSUtil and it seems to have cleaned up whatever was wrong with the database. Thanks so much for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide