Solved: ACS to ISE Migration Tool Hangs

Damien Miller · ‎11-02-2018

Hello All,

I'm starting an ACS 5.6 migration and wondering if anyone has run in to the same issue. I am still waiting for acs log access and might have to engage TAC if I can't find anything. But maybe someone has already solved this.

The export from ACS doesn't get past 500 objects on the very first step "Predefined Reference Data > Generic Attributes". It just sits there spinning, we let it run on a pc for 8 hours. I noticed while wiresharking that it completely stops communicating, the last packet is an ACK from ACS then nothing.

The only other occurrence of this I could find was an old post @kthiruve responded to that doesn't indicate how it went after.
https://community.cisco.com/t5/security-documents/how-to-migrate-acs-5-x-to-ise-2-x/tac-p/3635998/highlight/true#M5241

ex.

Damien Miller · ‎11-06-2018

Moved the migration tool closer to ACS by using a jump box in the DC and the issue went away. There is still a long delay at 500, but the entire export only takes about 3 hours. Since I was on a VPN before, I suspect a firewall was causing this, connection tear down maybe.

View solution in original post

hslai · ‎11-02-2018

This particular step has a timeout value of 24 hours, due to some internal testing found it taking a long time in some cases, such as AD not joined but AD groups and attributes configured in authorization policy rules.

Damien Miller · ‎11-02-2018

Thanks that's good to know, I'll let it run this weekend. I found it quite odd that traffic stopped passing between ACS and my machine/tool.

Damien Miller · ‎11-06-2018

Moved the migration tool closer to ACS by using a jump box in the DC and the issue went away. There is still a long delay at 500, but the entire export only takes about 3 hours. Since I was on a VPN before, I suspect a firewall was causing this, connection tear down maybe.