01-29-2013 06:27 AM - edited 03-10-2019 08:01 PM
Hi,
We got 2 Cisco ACS 5.2.0.26.10.
Primary server as authentication server and log collector
Secondary server as authentication server. Replication is configured.
I read the following guide: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1194934
"There are some exceptions to this usual setup, which you can handle as described below:
If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "
This exception matches with my case. I have to promote my secondary server as primary.
I would have :
Secondary server as authentication server and log collector
Primary server as authentication server
Now, I think I have to deregister secondary from primary server....
According to the guide, I have to upgrade the log collector server.
"Step 1: Choose any secondary server to become a log collector:"
I dont have another secondary server...
What should I do now? (upgrade secondary/log server? upgrade primary server? ... )
This guide supposed that I have 2 secondary and 1 primary ...
I dont know which steps to follow....
Thanks for your help,
Patrick
Solved! Go to Solution.
01-30-2013 06:00 AM
You have a requets open to TAC and so you will get their guidance
Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4
For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.
1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)
2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)
At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)
Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one
writing this I can see it is hard to explain. Am sure TAC will do better
01-30-2013 12:00 AM - edited 02-03-2018 10:31 PM
Hi Patrick,
In summary, you need to put the log collector in the secondary, not the primary, before you proceed.
The guide tells you if you have log collector in the primary, then promote the secondary (which will automatically demote the primary). In this case the secondary will be the primary and vice versa. After that you will have a primary as a non-log collecor and the secondary as a log-collector.
Regards,
Amjad
01-30-2013 12:18 AM
Hi Amjad,
Thanks for your answer. Which are the nexts steps?
In this guide, I have to:
Upgrade log collector:
Upgrade secondary server:
Upgrade primary server
I think I have to deregister my secondary server, upgrade primary and secondary then register secondary to primary...
Is that true?
Thanks,
Patrick
01-30-2013 04:55 AM - edited 02-03-2018 10:23 PM
Patrick,
I understand that it is confusing.
to describe what they exactly mean:
- Upgrade all secondary servers (regardless of how many you have) before upgrading the primary.
- When you upgrade the secondary make sure it is not the log collector (if only one secondary move the log collector to the primary).
- Deregister the secondary from the primary before the upgrade and delete its entry from the primary and delete the primary entry from the secondary after the deregistration. Now the primary and the secondary are both standalone.
- When the secondary upgraded, register the primary to the secondary. Now the secondary become the primary. Move the log collector to the old-secondary (which is now the primary). Now the old primary is registered as secondary to the old secondary and the old secondary is currently a primary with the log collector.
- Now upgrade the primary (which is at this stage secondary) as usual.
HTH
Amjad
01-30-2013 05:27 AM
Amjad,
You said:
Cisco guide says: "If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment" and this is the contrary
Cisco guide says: "Register the secondary server to the ACS 5.4 primary server." But the primary is not upgraded yet...
Cisco guide says: "To upgrade the primary server from a 5.3 to 5.4 deployment, Make sure the primary server is a standalone server". In your process, you registered primary to secondary at previous step...
This guide is very confusing.
I opened a service request on TAC support.
I will update this thread as soon as I have news...
Thanks a lot,
Patrick
01-30-2013 06:00 AM
You have a requets open to TAC and so you will get their guidance
Wil still share some general clarifiactions that I am aware of when going from ACS 5.2 to ACS 5.4
For the first step in the upgrade process, you want to upgrade the log collector since will have both configuration and M&T data.
1) if ACS 5.2 log collector is a seconday should just deregister from the deployment to make standalone and then upgrade the server to be ACS 5.4. It will initially be the new ACS 5.4 primary server (this is temporary and gets rectified at end of overall process)
2) if log collector is the primary on the ACS 5.2 then promote a difference server so that log collector is now secondary and can follow step 1)
At this point have one server on ASC 5.4 and rest on ACS 5.2. Can now begin to move the rest of the servers from ACS 5.2 to ACS 5.4 (as guide says: "Register the secondary server to the ACS 5.4 primary server" - this is temporary primary server as described in step 1)
Once all the servers are migrated then can select the "long term primary" ; as opposed to temporary one
writing this I can see it is hard to explain. Am sure TAC will do better
02-04-2013 05:49 AM
Hi,
TAC answered to my questions:
In this scenario, we first have to make both the servers standalone. Once they are standalone, both the appliances will work as a log collector. Now, start upgrading the secondary using the steps that I provided earlier.
Once secondary is upgraded, it can handle all authentications. Then proceed with the upgrade of primary to 5.4.
When both the servers are upgraded to 5.4, please join them again in deployment. This way production will not break.
Thanks for your help
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide