01-07-2013 07:27 AM - edited 03-10-2019 07:56 PM
I am seeing this error under ACS failed attempts:
External DB user invalid or bad password
I have verified that password is correct. What is the cause of this?
01-07-2013 07:37 AM
The cause is the user name or password are incorrect.
Thanks
Chris
01-07-2013 10:41 AM
What version of ACS are you seeing this error message? Which protocol are you using tacacs or radius?
Thanks,
Tarik Admani
*Please rate helpful posts*
01-07-2013 07:02 PM
Hello Tarik,
We are using ACS 4.2
tacacs protocol
01-07-2013 08:09 PM
Can you try checking your shared secret. Also try checking the debugs on the ACS, when you go to service control you can set the logging to full. If you are running ACS for windows you can remote desktop into the ACS and do a search for the TCS.log file and the Auth.log and see what errors you are seeing. If you are running ACS Solution engine you may want to pull the support bundle.
Also I assume you are authenticating against AD or LDAP correct?
Tarik Admani
*Please rate helpful posts*
01-09-2013 10:32 AM
Hi Tarik,
Not sure if it is related, but since the time I am seeing this problem, there are logs regarding replication failure between primary and secondary ACS servers as well. Replication used to work fine always (we have 2+ years old setup) and errors started to appear just two days back. No shared key mismatch as opposed to what logs say:
On primary ACS server:
Inbound database replication from ACS 'primary' denied - shared secret mismatch
ACS 'secondary' has denied replication request
On secondary ACS server:
Inbound database replication from ACS 'primary' denied - shared secret mismatch
Any ideas?
01-09-2013 11:41 AM
I have seen this issue before and have a strong feeling you are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso36620
See if that fixes your issue and then test your authentications.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-09-2013 08:54 PM
Hi Tarik,
Per the bug you mentioned:
Toggle nic" command changes AAA server ip address to "127.0.0.1" in GUI. | |
Symptom:The ACS SE appliance IP address shows up as 127.0.0.1 on the ACS GUI.Conditions:This occurs after issuing the "toggle nic" command, or by unplugging the ACS SE appliance from the network.Workaround:The original IP address on the appliance can be restored with the "set ip" command |
We have not changed anything, nor executed any command...anyways where do I need to check IP in GUI?
Thanks.
01-09-2013 09:47 PM
Check the network devices section under the ACS or radius server entries. Its been a while since I navigated that version of ACS.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-10-2013 12:23 AM
Tarik,
I checked IP address on GUI of primary and secondary servers. It shows correct IP for both, no loopback. Any other ideas?
Thanks,
Kashish
01-10-2013 12:44 AM
Hi Tarik,
I set the logging level to full and changed password of that user and tried authenticating to a network device using that account. Then I checked TCS.log and Auth.log file. I don't see any log related to that user ID in TCS.log . I did see some logs for that user ID in Auth.log and it shows all correct logs, there is no error for that user ID.
Any more thoughts on this?
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: