Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1802
Views
0
Helpful
4
Replies

ACS internal database replication

Go to solution
m.renshaw
Level 1
Level 1

‎06-25-2012 08:01 AM - edited ‎03-10-2019 07:14 PM

I have setup ACS internal database replication and it works once then the secondary config is overwritten and doesn't contain the AAA server of the primary.

primary               - 10.100.253.25

ACS 1113 running 4.2

secondary          - 10.100.253.26

ACS 1113 running 4.2

Example of before and after

Before replication

The primary has these AAA servers listed under network components.

self - 127.0.0.1

acs2 - 10.100.253.26

The secondary has these AAA servers listed under network components.

self - 127.0.0.1

acs1 - 10.100.253.25

After replication

The primary has these AAA servers listed under network components.

self - 127.0.0.1

acs2 - 10.100.253.26

The secondary has these AAA servers listed under network components.

self - 127.0.0.1

acs2 - 10.100.253.26

therefore after the first replication subsequent attempts will fail because the secondary won't accept attempts from unknown AAA servers. Is this to be expected or can I mitigate it in someway?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
maldehne
Cisco Employee
Cisco Employee

‎06-25-2012 10:36 AM

have the primary and secondary dmp files imported for ACS for windows machine

get rid of the 127.0.0.1 enteries

and import back the modified dmp files

proceed with the replication ----> everything shoudl be fine after that

----------------------------------------------------------------------------------------------------------

Please Don't Forget to rate correct answers

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-25-2012 08:08 AM

As you are getting entry,

Self ---- 127.0.0.1

This is causing the issues.

This issue occurs, if we do initial configuration of the ACS SE without connecting the ACS SE in the active network i.e. without connecting the  NIC of the ACS SE. We also need to ensure that we use the bottom NIC of  the ACS SE for configuration of the device.

If you have not done much of the configuration on the Primary ACS SE, I would request you to re-image the Primary ACS SE using the recovery CD.

NOTE: This is a known issue and we are aware of it.

Regards,

Jatin

Do rate helpful posts-

~Jatin
0 Helpful

Go to solution
m.renshaw
Level 1
Level 1
In response to Jatin Katyal

‎06-25-2012 08:37 AM

Thanks for the reply, this is a pair of ACS's I have inhereted and have been setup for some time, does another way of fixing this exit?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to m.renshaw

‎06-25-2012 08:54 AM

Please try setting the original ip address by using "Set ip" Command from the console connection of the ACS Solution engine. Once you successfully changed the ip address, you can apply the patch 11 or above (latest is patch 16) on the ACS SE (This will fix the problem).

In majority of cases set ip command fails but sometime works too.

In case it doesn't help then we have 2 options:

1.] Open a TAC case, send the database file to delete the entry.

2.] If you are not intrested sending your database then try the below listed steps:

In order to remove the loopback entry from the Database, we need to follow following steps,

Please download ACS 4.2 trial from following link, if you do not have ACS Full version for Windows purchased.

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval- eval-ACS-4.2.0.124-SW.zip

[1] Install eval version on Windows 2000/2003 server. Please also ensure that JAVA is installed on that server.

[2] Take a backup from ACS SE from, System Configuration > ACS Backup >Backup Now.

[3] Restore the database backup on ACS eval.

[4] On eval ACS , go to Network Configuration > find the AAA Server entry with 127.0.0.1 entry. Edit it and give it some other IP for

example, 1.1.1.1. Submit + Apply.

[5] On eval, Restart CSAdmin service.

[6] On eval, go back to Network Configuration and search for the changed IP address and delete that entry, Delete + Apply.

[7] Take a backup from eval ACS, System Configuration > ACS Backup > Backup Now.

[8] Restore the database backup from eval ACS into ACS SE from option, System Configuration > ACS Restore, choose the database backup. Check Check option "User and Group Database" and "CiscoSecure ACS System Configuration", then press Restore Now.

[9] On ACS SE, go to Network Configuration, make sure that 127.0.0.1 entry is not there and for ACS SE's hostname we have the correct IP address. Go to Proxy Distribution Table > (Default). Move the server’s hostname entry that has correct IP for this ACS SE into "Forward To" column, if not already. Then press "Submit + Restart".

Reference defect,
 CSCso36620 - Toggle nic command changes AAA server ip address to "127.0.0.1" in GUI.

Regards,

Jatin

Do rate helpful posts-

~Jatin
0 Helpful

Go to solution
maldehne
Cisco Employee
Cisco Employee

‎06-25-2012 10:36 AM

have the primary and secondary dmp files imported for ACS for windows machine

get rid of the 127.0.0.1 enteries

and import back the modified dmp files

proceed with the replication ----> everything shoudl be fine after that

----------------------------------------------------------------------------------------------------------

Please Don't Forget to rate correct answers

0 Helpful
Customers Also Viewed These Support Documents