Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1732
Views
5
Helpful
6
Replies

Cisco ACS 5.3 patch 8 OPT Volume

Go to solution
Rogelio Mercado
Level 1
Level 1

‎05-09-2013 03:24 PM - edited ‎03-10-2019 08:24 PM

Hello,

We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.

The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.

In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.

This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.

Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.

The questions I have is:

At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?

Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?

We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.

We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-09-2013 06:40 PM

In distributed setup, its recommended to configure a dedicated  secondary server as a log collector. However you've a large deployment  so I'm sure authentication rate would be high too causing view-database  size keep on increasing.

In order to prevent running out of disk space we need  to manage it. That means identifying the files that are created and  written to by  processes on the system, allocating a space budget to  them such that if  the files stay within their budget all services can  be supported without  interruption, and then defining and implementing  facilities to keep  those files within their budget.

There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.

1. Purge: In this mechanism the data will be purged based  on the  configured data retention period or upon reaching the upper  limit of the  database.  In Patch 6 new option provided to do on demand  purge as  well.

2. Compress: This mechanism frees up  unused space in the  database without deleting any records. Before the  compress option could  only be run manually.  In ACS 5.3 Patch 6 there  are enhancements so it  will run daily at a predefined time, automatically when specific  criteria are met.

At what percentage size for the OPT volume should we be  concerned before it starts impacting the performance of the Log  Collector?

TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.

Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?

It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html

- Please use System Administration >  Configuration > Log  Configuration >  Logging Categories >  Global To configure sending  only the required logs to the ACS View log-collector.

- Provide the fresh screenshot of the page Monitoring   Configuration > System Operations > Data Management > Removal   and Backup.

- With the below listed command you can check the actual and physical size of the MnT database

     acs-config

     Username: acsadmin

     Password: ***********

     acsview show-dbsize

There are few known defects on the same issue. However, the version you're running improves database management processes.

CSCto47203: ACS 5 runs out of disk space

CSCua51804: View backup fails   even when there is space in disk

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

6 Replies 6

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-09-2013 06:40 PM

In distributed setup, its recommended to configure a dedicated  secondary server as a log collector. However you've a large deployment  so I'm sure authentication rate would be high too causing view-database  size keep on increasing.

In order to prevent running out of disk space we need  to manage it. That means identifying the files that are created and  written to by  processes on the system, allocating a space budget to  them such that if  the files stay within their budget all services can  be supported without  interruption, and then defining and implementing  facilities to keep  those files within their budget.

There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.

1. Purge: In this mechanism the data will be purged based  on the  configured data retention period or upon reaching the upper  limit of the  database.  In Patch 6 new option provided to do on demand  purge as  well.

2. Compress: This mechanism frees up  unused space in the  database without deleting any records. Before the  compress option could  only be run manually.  In ACS 5.3 Patch 6 there  are enhancements so it  will run daily at a predefined time, automatically when specific  criteria are met.

At what percentage size for the OPT volume should we be  concerned before it starts impacting the performance of the Log  Collector?

TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.

Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?

It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html

- Please use System Administration >  Configuration > Log  Configuration >  Logging Categories >  Global To configure sending  only the required logs to the ACS View log-collector.

- Provide the fresh screenshot of the page Monitoring   Configuration > System Operations > Data Management > Removal   and Backup.

- With the below listed command you can check the actual and physical size of the MnT database

     acs-config

     Username: acsadmin

     Password: ***********

     acsview show-dbsize

There are few known defects on the same issue. However, the version you're running improves database management processes.

CSCto47203: ACS 5 runs out of disk space

CSCua51804: View backup fails   even when there is space in disk

Jatin Katyal

- Do rate helpful posts -

~Jatin

Go to solution
Rogelio Mercado
Level 1
Level 1
In response to Jatin Katyal

‎05-10-2013 10:39 AM

thanks for the reply.

So then it looks the best course of action would be to upgrade to ACS 5.4 to take advantage of the data purging and data compression enhancements.

We are going to be adding 3 more ACS appliances in next few months. So our OPT volume issue will just be getting worse.

Is there any know issues with upgrading using the "Upgrading an ACS Server Using the Application Upgrade Bundle" path?

Roy

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Rogelio Mercado

‎05-10-2013 10:56 AM

No doubt. There are no known issues with the upgrade however there are couple of points that need to be keep in mind while upgrading to ACS 5.4

Upgrading an ACS Server using the Application Upgrade Bundle

Reimaging and Upgrading an ACS Serve

You can only perform an application upgrade bundle, on either a Cisco appliance or a virtual machine, if the disk size is greater than or equal to 500 GB. If you have a smaller disk size, you need to reimage to ACS 5.4 followed by a restore of the backup taken in ACS 5.3 version to trigger the upgrade.

When you upgrade from ACS 5.3 to 5.4, it is mandatory to install ACS 5.3 latest patch prior to the upgrade or the upgrade may fail. If you use the version prior to ACS 5.3.0.40.6, then you might hit an error and the upgrade will not proceed. Note that ACS 5.4 does not include all fixes that are included in 5.3.0.40.8. Therefore, if any of these fixes in 5.3.0.40.8 are required in your deployment, then you should install patch 5.4.0.46.1 after you upgrade to ACS 5.4. Patch 2 is also available now to add windows 2012 support.

Installation guide

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html

Release notes:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html

Hope this answers.

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎05-10-2013 11:05 AM

You may also go through this post the acs 5.4 experience being discussed few days ago.

https://supportforums.cisco.com/message/3781934#3781934

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
Rogelio Mercado
Level 1
Level 1
In response to Jatin Katyal

‎05-10-2013 11:12 AM

Thanks for the information.

We are currently at version 5.3.0.40.8 and have 500 gb thick drive for our VM apliances.

We wilI move forward with upgrading to ACS 5.4 patch 2 to help remedy the OPT volume issue.

Thanks again,

Rogelio Mercado

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Rogelio Mercado

‎05-10-2013 11:17 AM

Sounds good!!! Have a nice day ahead

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents