cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
5
Helpful
2
Replies

ACS database not functioning after changing secondary acs ip.

jazzzz
Level 1
Level 1

Hi.. im having 2 ACS 3.1 server. ACS01 (Primary) & ACS02 (Secondary). Recently we have moved ACS02 to another site and changed its ip address.

When we do database replication from ACS01, we received error message saying that ACS02 has denied replication request.

Any idea whats may be the problem ?

1 Accepted Solution

Accepted Solutions

owillins
Level 6
Level 6

Consider these points when you implement the Cisco Secure database replication feature:

1) ACS only supports database replication to other ACS servers. All ACS servers that participate in Cisco Secure database replication must run the same version and patch level of ACS.

2)The primary server transmits the compressed, encrypted copy of its database components to the secondary server. This transmission occurs over a TCP connection, with port 2000. The TCP session is authenticated and uses an encrypted, Cisco-proprietary protocol.

3)Only suitably configured, valid ACS hosts can be secondary servers. To add a secondary server, configure it in the AAA Servers table in the Network Configuration section of this document. When a server is added to the AAA Servers table, the server appears for selection as a secondary server in the AAA Servers list under Replication Partners, on the Cisco Secure database replication page.

4)The primary server must be configured as an AAA server and must have a key. The secondary server must have the primary server configured as an AAA server and its key for the primary server must match the primary servers own key.

5)Replication to secondary servers takes place sequentially in the order listed in the Replication list under Replication Partners, on the Cisco Secure database replication page. 6)The secondary server, which receives the replicated components, must be configured to accept database replication from the primary server. To configure a secondary server for database replication, refer to the Configuring a Secondary Cisco Secure ACS Server section of this document.

7)ACS does not support bi-directional database replication. The secondary server, which receives the replicated components, verifies that the primary server is not on its Replication list. If not, the secondary server accepts the replicated components. If so, it rejects the components.

8)To replicate user-defined RADIUS vendor and vendor-specific attribute (VSA) configurations successfully, the definitions to be replicated must be identical on the primary and secondary servers. This includes the RADIUS vendor slots the user-defined RADIUS vendors occupy. For more information about user-defined RADIUS vendors and VSAs, refer to the User-Defined RADIUS Vendors and VSA Sets section of the document Cisco Secure ACS Command-Line Database Utility.

View solution in original post

2 Replies 2

owillins
Level 6
Level 6

Consider these points when you implement the Cisco Secure database replication feature:

1) ACS only supports database replication to other ACS servers. All ACS servers that participate in Cisco Secure database replication must run the same version and patch level of ACS.

2)The primary server transmits the compressed, encrypted copy of its database components to the secondary server. This transmission occurs over a TCP connection, with port 2000. The TCP session is authenticated and uses an encrypted, Cisco-proprietary protocol.

3)Only suitably configured, valid ACS hosts can be secondary servers. To add a secondary server, configure it in the AAA Servers table in the Network Configuration section of this document. When a server is added to the AAA Servers table, the server appears for selection as a secondary server in the AAA Servers list under Replication Partners, on the Cisco Secure database replication page.

4)The primary server must be configured as an AAA server and must have a key. The secondary server must have the primary server configured as an AAA server and its key for the primary server must match the primary servers own key.

5)Replication to secondary servers takes place sequentially in the order listed in the Replication list under Replication Partners, on the Cisco Secure database replication page. 6)The secondary server, which receives the replicated components, must be configured to accept database replication from the primary server. To configure a secondary server for database replication, refer to the Configuring a Secondary Cisco Secure ACS Server section of this document.

7)ACS does not support bi-directional database replication. The secondary server, which receives the replicated components, verifies that the primary server is not on its Replication list. If not, the secondary server accepts the replicated components. If so, it rejects the components.

8)To replicate user-defined RADIUS vendor and vendor-specific attribute (VSA) configurations successfully, the definitions to be replicated must be identical on the primary and secondary servers. This includes the RADIUS vendor slots the user-defined RADIUS vendors occupy. For more information about user-defined RADIUS vendors and VSAs, refer to the User-Defined RADIUS Vendors and VSA Sets section of the document Cisco Secure ACS Command-Line Database Utility.

Tks. Problem solved. Due to item #7.