ACS error : External DB user invalid or bad password

Kashish_Patel · ‎01-07-2013

I am seeing this error under ACS failed attempts:

External DB user invalid or bad password

I have verified that password is correct. What is the cause of this?

Chris Illsley · ‎01-07-2013

The cause is the user name or password are incorrect.

Thanks

Chris

Tarik Admani · ‎01-07-2013

What version of ACS are you seeing this error message? Which protocol are you using tacacs or radius?

Thanks,

Tarik Admani
*Please rate helpful posts*

Kashish_Patel · ‎01-07-2013

Hello Tarik,

We are using ACS 4.2

tacacs protocol

Tarik Admani · ‎01-07-2013

Can you try checking your shared secret. Also try checking the debugs on the ACS, when you go to service control you can set the logging to full. If you are running ACS for windows you can remote desktop into the ACS and do a search for the TCS.log file and the Auth.log and see what errors you are seeing. If you are running ACS Solution engine you may want to pull the support bundle.

Also I assume you are authenticating against AD or LDAP correct?

Tarik Admani
*Please rate helpful posts*

Kashish_Patel · ‎01-09-2013

Hi Tarik,

Not sure if it is related, but since the time I am seeing this problem, there are logs regarding replication failure between primary and secondary ACS servers as well. Replication used to work fine always (we have 2+ years old setup) and errors started to appear just two days back. No shared key mismatch as opposed to what logs say:

On primary ACS server:

Inbound database replication from ACS 'primary' denied - shared secret mismatch

ACS 'secondary' has denied replication request

On secondary ACS server:

Inbound database replication from ACS 'primary' denied - shared secret mismatch

Any ideas?

Tarik Admani · ‎01-09-2013

I have seen this issue before and have a strong feeling you are hitting the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso36620

See if that fixes your issue and then test your authentications.

Thanks,

Tarik Admani
*Please rate helpful posts*

Kashish_Patel · ‎01-09-2013

Hi Tarik,

Per the bug you mentioned:

Toggle nic" command changes AAA server ip address to "127.0.0.1" in GUI.

Symptom:

The ACS SE appliance IP address shows up as 127.0.0.1 on the ACS GUI.

Conditions:

This occurs after issuing the "toggle nic" command, or by unplugging the ACS SE appliance from the network.

Workaround:

The original IP address on the appliance can be restored with the "set ip" command

We have not changed anything, nor executed any command...anyways where do I need to check IP in GUI?

Thanks.

Tarik Admani · ‎01-09-2013

Check the network devices section under the ACS or radius server entries. Its been a while since I navigated that version of ACS.

Thanks,

Tarik Admani
*Please rate helpful posts*

Kashish_Patel · ‎01-10-2013

Tarik,

I checked IP address on GUI of primary and secondary servers. It shows correct IP for both, no loopback. Any other ideas?

Thanks,

Kashish

Kashish_Patel · ‎01-10-2013

Hi Tarik,

I set the logging level to full and changed password of that user and tried authenticating to a network device using that account. Then I checked TCS.log and Auth.log file. I don't see any log related to that user ID in TCS.log . I did see some logs for that user ID in Auth.log and it shows all correct logs, there is no error for that user ID.

Any more thoughts on this?

Thanks,