No access to serial console in ACS appliance 111

carrefour-sp · ‎08-05-2005

We have 2 Cisco ACS appliances running version ...

Cisco Secure ACS 3.2.2.5

Appliance Management Software 3.2.2.5

Appliance Base Image 3.2.2.1

The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:

1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.

2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.

3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.

4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.

Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.

Kind regards.

bfeeny · ‎08-09-2005

I am seeing this EXACT behavior. My problem is that in addition to all that, I don't have web access because the client can't remember their password. I would suggest looking at the services via the web interface, and make sure the Telnet service has started, as I believe that is what is controlling the console access ( I may be wrong about that ).

Please let me know if you find out anything on this. I plan to open a TAC case. Its the most bizarre thing, no console! I get the "one or more services has failed to start" message as well.

Brian

carrefour-sp · ‎08-09-2005

Brian,

As there was no answer and teaking unto account that this might be a Microsoft related service failure, I took the safest solution and it was to use the recovery cd-rom and reinage the appliance. It's a fast procedure as long as you only have to perform basic initial configuration (hostname, ip address, default gateway, admin name and password, etc.) and when the web console is back on, you only have to do a system restore ( SO IT'S VERY IMPORTANT TO HAVE A RECENT BACKUP OF YOU APPLIANCE). Total time "offline" is +/- 30min if everything goes well. I have done it for both our appliances and went ok. Sorry , I have no more details.

P.S: By the way, both serial console are back and Ok!! ;oP

bfeeny · ‎08-09-2005

Thanks for your reply. Its disturbing that this has happened though to both of us, yet i cannot find any bug id associated with it. Actually, not sure where to look for bugs in the ACS Solution Engine, I just checked under ACS for Windows because I did not see a category in TAC for the Solution Engines.

I will open a TAC case and then post here the results of what the resolution is. Having someone lose their console at random, and then requiring reload of the OS and data is not good.

If anyone else knows any information on this, please post it here!

Brian

ttorgerson · ‎06-28-2006

Hey guys...

We are preparing to go live with two new appliances in production and needed to change the IP addresses, but no access to the console (exact same problems you referred to in your post). Man... this problem is going to have to be corrected as even a 30 minute period to do a recover/restore is a headache when you have ten bazillion other things to get done. Since there are no other postings, I will assume this is the easiest or only known workaround for the time.

Thanks guys...

Thomas

viveksantuka · ‎07-04-2006

This is a known bug. I dont have the bug id.

TAC has a patch for it.

Its a microsoft OS thing which blocks the console port. Should be a matter of 10 minutes after u have the patch.

Aaron Harrison · ‎07-06-2006

Hi

I've got this exact problem with a customer's ACS box - they have one that works now (which they hope will never need rebooting) and a new one..

The new one has been RMA'd 4 times and TAC are telling me my case is unusual...

Hmm.

It would be great if someone could detail the patch name or maybe post it????

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

hemendoz · ‎07-06-2006

Hello,

Here is that bug ID CSCsb26676 - console unavailable after upgrade.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb26676

Hope that helps! If so, please rate.

Thanks,

hemendoz

Aaron Harrison · ‎07-06-2006

Thanks - however it seems this is a little different to my problem!

Mine is 3.3.3, but I get no radius, no HTTP, no serial...

I'll continue with TAC unless anyone know of any more bugs?

Ta

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

msulo · ‎08-07-2006

Hallo

I met with this bug at our customer. I looked up this bug in BUG Toolkit but I saw neither the STATUS nor any link to this patch. I searched for this patch in Dowload Center but without any luck. Is it possible to access and download it?

Thanks

Aaron Harrison · ‎09-12-2006

Hi All

Found another bug today that might explain this console access problem:

---------------------------------------------

CSCsc52381

ACS SE console access may not work if NTP synchronization is enabled

The login prompt might not appear on the CLI console after rebooting through the CLI or through the GUI; even if NTP synchronization is enabled and the NTP server address is set correctly.

Workaround Disable NTP synchronization.

---------------------------------------------

Hope this helps...

Aaron

Please rate helpful posts....

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

fergusoni · ‎06-14-2007

Hi

I had similair problem being locked out of console after initial configuration wizard.

I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.

I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..

deliverance1> start CSAgent

Starting service: CSAgent..

CSAgent is starting

CSAgent is running

Regards

Ian