Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1800
Views
18
Helpful
6
Replies

[ACS 5.2] Upgrade to ACS 5.4

Go to solution
Patrick Tran
Level 1
Level 1

‎01-29-2013 06:27 AM - edited ‎03-10-2019 08:01 PM

Hi,

We got 2 Cisco ACS 5.2.0.26.10.

Primary server as authentication server and log collector

Secondary server as authentication server. Replication is configured.

I read the following guide: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1194934

"There are some exceptions to this usual setup, which you can handle as described below:

If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "

This exception matches with my case. I have to promote my secondary server as primary.

I would have :

Secondary server as authentication server and log collector

Primary server as authentication server

Now, I think I have to deregister secondary from primary server....

According to the guide, I have to upgrade the log collector server.

"Step 1: Choose any secondary server to become a log collector:"

I dont have another secondary server...

What should I do now? (upgrade secondary/log server? upgrade primary server? ... )

This guide supposed that I have 2 secondary and 1 primary ...

I dont know which steps to follow....

Thanks for your help,

Patrick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to Patrick Tran

‎01-30-2013 06:00 AM

You have a requets open to TAC and so you will get their guidance

Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4

For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.

1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)

2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)

At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)

Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one

writing this I can see it is hard to explain. Am sure TAC will do better

View solution in original post

6 Replies 6

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎01-30-2013 12:00 AM - edited ‎02-03-2018 10:31 PM

Hi Patrick,

 

In summary, you need to put the log collector in the secondary, not the primary, before you proceed.

The guide tells you if you have log collector in the primary, then promote the secondary (which will automatically demote the primary). In this case the secondary will be the primary and vice versa. After that you will have a primary as a non-log collecor and the secondary as a log-collector.

Regards,

 

Amjad

 

Rating useful replies is more useful than saying "Thank you"

Go to solution
Patrick Tran
Level 1
Level 1
In response to Amjad Abdullah

‎01-30-2013 12:18 AM

Hi Amjad,

Thanks for your answer. Which are the nexts steps?

In this guide, I have to:

Upgrade log collector:

  1. change the log collector --> In my case, log collector is now a secondary server... I cant change it...
  2. deregister and remove the old log collector
  3. upgrade the old log collector
  4. Define this 5.4 upgraded server as the remote log target for others servers

Upgrade secondary server:

  1. If secondary server is log collector, change log collector to another secondary server... --> In my case, I dont have another secondary server...
  2. deregister
  3. upgrade
  4. register to 5.4 primary

Upgrade primary server

I think I have to deregister my secondary server, upgrade primary and secondary then register secondary to primary...

Is that true?

Thanks,

Patrick

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Patrick Tran

‎01-30-2013 04:55 AM - edited ‎02-03-2018 10:23 PM

Patrick,

I understand that it is confusing.

to describe what they exactly mean:

- Upgrade all secondary servers (regardless of how many you have) before upgrading the primary.

- When you upgrade the secondary make sure it is not the log collector (if only one secondary move the log collector to the primary).

- Deregister the secondary from the primary before the upgrade and delete its entry from the primary and delete the primary entry from the secondary after the deregistration. Now the primary and the secondary are both standalone.

- When the secondary upgraded, register the primary to the secondary. Now the secondary become the primary. Move the log collector to the old-secondary (which is now the primary). Now the old primary is registered as secondary to the old secondary and the old secondary is currently a primary with the log collector.

- Now upgrade the primary (which is at this stage secondary) as usual.

 

HTH

 

Amjad

 

Rating useful replies is more useful than saying "Thank you"

Go to solution
Patrick Tran
Level 1
Level 1
In response to Amjad Abdullah

‎01-30-2013 05:27 AM

Amjad,

You said:

  • "When you upgrade the secondary make sure it is not the log collector (if only one secondary move the log collector to the primary)"

Cisco guide says: "If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment" and this is the contrary

  • "When the secondary upgraded, register the primary to the secondary."

Cisco guide says: "Register the secondary server to the ACS 5.4 primary server." But the primary is not upgraded yet...

  • "Now upgrade the primary"

Cisco guide says: "To upgrade the primary server from a 5.3 to 5.4 deployment, Make sure the primary server is a standalone server". In your process, you registered primary to secondary at previous step...

This guide is very confusing.

I opened a service request on TAC support.

I will update this thread as soon as I have news...

Thanks a lot,

Patrick

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Patrick Tran

‎01-30-2013 06:00 AM

You have a requets open to TAC and so you will get their guidance

Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4

For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.

1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)

2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)

At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)

Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one

writing this I can see it is hard to explain. Am sure TAC will do better

Go to solution
Patrick Tran
Level 1
Level 1
In response to jrabinow

‎02-04-2013 05:49 AM

Hi,

TAC answered to my questions:

In this scenario, we first have to make both the servers standalone. Once they are standalone, both the appliances will work as a log collector. Now, start upgrading the secondary using the steps that I provided earlier.

Once secondary is upgraded, it can handle all authentications. Then proceed with the upgrade of primary to 5.4.

When both the servers are upgraded to 5.4, please join them again in deployment. This way production will not break.

Thanks for your help

Patrick

0 Helpful
Customers Also Viewed These Support Documents