Solved: Re: Problem with ACS 4.2 Database replication

cpradoscarvajal · ‎04-07-2010

Greetings,

I am not able to replicate Database between two ACS SE 4.2. I am getting the following error:

Inbound database replication from ACS 'ACS_BEX_001' denied - shared secret mismatch.

The configuration apparently is ok. I am attaching the configuration from both ACS.

Nevin Absher · ‎04-08-2010

Hello,

The problem you are seeing is because of the Self entries on each ACS being set to 127.0.0.1. For replication to work you have to set all 4 ACS entries to the same shared secret, even the Self ones. The issue is when you try to change those entries it will tell you that you can't use 127.0.0.1, but it also won't let you change the ip.

The bug Id for this issue is CSCso36620. The workaround states that from the CLI you can use the 'set ip' command to set the IP back to the original IP and it should update the Self entry in the gui. At that point you should be able to update the shared secret on all 4 devices.

Let me know if you have any problems getting that to work.

Thanks,

Nevin

View solution in original post

Nevin Absher · ‎04-08-2010

Hello,

The problem you are seeing is because of the Self entries on each ACS being set to 127.0.0.1. For replication to work you have to set all 4 ACS entries to the same shared secret, even the Self ones. The issue is when you try to change those entries it will tell you that you can't use 127.0.0.1, but it also won't let you change the ip.

The bug Id for this issue is CSCso36620. The workaround states that from the CLI you can use the 'set ip' command to set the IP back to the original IP and it should update the Self entry in the gui. At that point you should be able to update the shared secret on all 4 devices.

Let me know if you have any problems getting that to work.

Thanks,

Nevin

fernando_garcia · ‎02-26-2013

The solution posted by Nevin is correct, but I must add some explanations. I had the problem yesterday and I proceeded like Nevin told:

- I connected to the console and made a "show".

- The IP was the correct one, but as indicated I made a "set ip"

- The system asked for the new IP, showing the old one between brackets: ie "New IP [10.10.10.1]:"

- I pressed Intro, because the IP is correct.

- After confirming the IP, mask, gateway and DNS the system asked me to verify connectivity. I did it and was correct.

- The second time it asked to check connectivity I answered No. and nothing happened.

- We checked through the web but the "Self" IP was still 127.0.0.1.

- So I made the process again BUT this time I changed the the IP to another one. After finishing, (when I answered No to check connectivity) I saw that the system was stopping all ACS processes and starting then again.

- In the web page the "Self" IP was the new one.

- I made the process again changing the IP to the original one. This time also the system stopped and started all processes.

- In the web page the "Self" IP was correct.

- Now the replication worked correctly.

So the problem was that the system is "inteligent" and if it discover that you don't change the IP (even if you change the DNS), it doesn't reconfigure it. So you must change to another IP (even a dummy one) and the change again to the correct one.

I hope this can help to other people.

tony.h · ‎02-24-2014

I believe this would be the solution for me. I have not tried it yet. I am going to try it on our ACS and post the result. Thanks Fernando.

Jatin Katyal · ‎03-04-2014

yeah feel free to let us know if you need any further guidance.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

tony.h · ‎03-16-2014

Thanks Jatin,

The IP changed back to the original after I changed the IP to a new IP and then back to the original IP. However after a while, the IP changed back to 127.0.0.1. I did not know why. Maybe the primary host replicated data to the secondary host as I worked on the secondary host. Anyway I had no way to prove that.

The repaired confiugration from Cisco TAC did fix my issue this time. I hope the issue won't come back at all.

Not sure what the best solution for TACACS+ nowadays. I know both ISE and ACS5 would work. Am I correct?