Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
7
Replies

CISCO ACA 4.1 synchornization issue

faheeemarshad22
Level 1
Level 1

‎12-29-2014 09:12 AM - edited ‎03-10-2019 10:18 PM

Hi All, 

            I have 4 TACACS servers (1,2,3,4). 1 being the primary and the other 3 are secondary. The issue is 2 and 3 are syncing but the 4 is not syncing when i made changes in 1. I can see the all the AAA clients in 2 and 3. But when i search AAA clients in 4 the search couldn't find anything. I reboot the server and restarted as well through console but it didn't work. I checked the IP address of the server and it is good. Time is also same on all the four servers. 

 

            Any help would be appreciated. Thanks 

 

Faheem 

Labels:
0 Helpful
7 Replies 7

Jagdeep Gambhir
Level 10
Level 10

‎12-30-2014 11:01 AM

Faheem,

 

What you do see in the replication logs of primary and non-working secondary?

 

 

Regards,

~JG

0 Helpful

faheeemarshad22
Level 1
Level 1
In response to Jagdeep Gambhir

‎12-30-2014 12:15 PM

 

Hi Jagdeep, thanks for responding. This is what i see in the logs. Although I am getting replication denied for Server 2  and 3 but i can see the clients in network configuration but in server 4 i cannot see clients replicated. I have to add them manually 

 

Primary Logs:

12/30/201414:50:16server1INFOOutbound replication cycle completed
12/30/201414:50:16server1ERRORACS 'server 4' has denied replication request
12/30/201414:50:15server1ERRORACS 'server 3' has denied replication request
12/30/201414:50:14server1ERRORACS 'server 2' has denied replication request
12/30/201414:50:12server1INFOOutbound replication cycle starting...

 

Secondary Log:

12/30/201414:50:39server 4INFOOutbound replication not configured (no components selected for sending) - cycle completed
12/30/201414:50:39server 4INFOOutbound replication cycle starting...
12/30/201414:50:16server 4ERRORInbound database replication from ACS 'server1' denied
0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to faheeemarshad22

‎12-30-2014 12:45 PM

Server 4 shows outbound replication not configured. Can you check it system config --->database replication ---> select receive components.

 

Also it seems all server 2,3,4 denied replication.

 

Regards,

~JG

 

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to Jagdeep Gambhir

‎12-30-2014 12:48 PM 

1) Make sure that you are not replicating over NAT. Replication over NAT
does not work because the IP is used as part of the server authentication

2) Next, check to make sure that you are not sending or receiving the
distribution table. On the primary server, the distribution table should not
be checked in the send list, and on the secondary, the distribution table should not be checked for receive.

3) Then I would like you to check in the secondary server's partner list, to
make sure that the primary is not listed. You should not enter the primary
server into the partner list on the secondary server. However, the primary
server should have all secondary servers listed in its partner list.

4) Ensure that the secondary server has it's replication scheduling set to
"manual".

5) Please verify that your servers are all running exactly the same ACS
version and build.

6) Also let me know if we have any firewall in between two acs servers.

7) Make sure we don't have any AAA-server IP listed as 127.0.0.1
0 Helpful

faheeemarshad22
Level 1
Level 1
In response to Jagdeep Gambhir

‎12-31-2014 08:05 AM

I did all the above changes but no luck 

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to faheeemarshad22

‎01-16-2015 01:57 AM

Did you double checked the secret key?

0 Helpful

faheeemarshad22
Level 1
Level 1
In response to Jagdeep Gambhir

‎12-30-2014 12:53 PM

Yes, I just checked it.  Primary is set to send 

 

ComponentSendReceive
User and Group Database                           Checked
Group Database only
Network Configuration Device tables           Checked
Distribution Table                                         Checked
Interface Configuration                                 Checked
Interface Security Settings                           Checked
Password validation settings                        Checked
EAP-FAST master keys and policies
Network Access Profiles

 

Secondary is receiving:

 

ComponentSendReceive
User and Group Database                                Checked
Group Database only
Network Configuration Device tables                 Checked
Distribution Table                                               Checked
Interface Configuration                                       Checked
Interface Security Settings                                  Checked
Password validation settings                                Checked
EAP-FAST master keys and policies
Network Access Profiles
0 Helpful
Customers Also Viewed These Support Documents