cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7590
Views
25
Helpful
15
Replies
Highlighted
Beginner

Unable to register a secondary ACS 5.2 for replication to primary ACS.

Hello,

I hope someone can help me.  Currently, I have two Cisco ACS appliances and both are listed as PRIMARY.  The first ACS is running version 5.2.0.26 whereas the second ACS is running version 5.3.0.40. 

My original thought was to install the first ACS and have it act as PRIMARY and have it replicate its data to the SECONDARY ACS.  Somehow, after installation, both ACS' are now listed as PRIMARY.  When I go into the secondary ACS under Deployment Options to try and register it to the primary, I get the following error message:

"This System Failure Occurred.  Unable to authenticate with node.  Your changes have not been saved..."

Even if I try this from the primary ACS to register it to the secondary ACS, I get the same error message.  I have tried all passwords including the super user admin credentials, my admin credentials, and the credentials provided to SSH into the ACS' and to no avail. 

Reading online, I read there was a way to deregister a secondary ACS, but I don't have the option to add that server under the primary to "bump it down" to a secondary in hopes of registering it to the primary ACS.

If someone can give me any pointers, I'd be greatly appreciative.

Thanks, and all have a wonderful day.

Y

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Yvonne,

If the Identifier is the same then definitely Replication will not work, you won't be able to register the secondary to the primary if the license is the same. The good part is that you have the other license, you only need to install it.

However I have more bad news, the only way to re-install a license file in ACS 5.x is using the CLI command "acs reset-config" but it will also delete the entire configuration that you have on this server except the network configuration (IP, default gateway, DNS, etc.)

After this command is entered if you try to access the GUI you will need to use the default username/password which is acsadmin/default, then you will be prompted to browse for the license file.

Here is a document with all this information just in case you need it:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/my_wkspc.html#wp1052906

View solution in original post

15 REPLIES 15
Highlighted
Beginner

Hi there Yvonne,

The root of the problem is because in a distributed deployment both servers must comply with the following:

-Primary and secondary must be running the same version, even patch number

-Each server must have a unique license

In your case the servers have different versions so this seems to be the main problem in your scenario, upgrade the primary to 5.3 as well and give it another try, let me know how it goes.

Highlighted

Hi Mauricio,

Thank you for your reply back.  Per your suggestion, I'm in the process of downloading the ACS_5.3.0.40.tar.gz file to upgrade the 5.2 ACS.  After the upgrade is complete, I will try again to register the secondary to the primary and I will report back what happens.

I read that each server must have a unique license as well, and I have two different base licenses for both appliances; however, when I look at the licensing on both appliances, they both have the same license/PAK listed...now I'm confused.

Thanks again,

Yvonne

Highlighted

Yvonne,

The PAK could be the same, however the Identifier must be different on both servers, check this on both units. The Identifier can be checked under System Administration/Licensing/Base server license.

Keep me posted.

Highlighted

Mauricio,

Ugh...   Just checked and the Identifier's are the same for both servers.  The last four digits of the Identifier's on both servers are the same yet I have another .lic file that's completely different that's not installed on the secondary...what to do now?  Any suggestions on how to remove the license from the secondary server so that I can apply the second license since they both have to have different Identifiers?  Sorry...

P.S.  The 655MB tar file to upgrade 5.2 to 5.3 is slowly downloading.  Looks like I'll get to the upgrade tomorrow.

Please advise.  I will keep you posted.  And thanks for the suggestions...you've been a great help.

Highlighted

Yvonne,

If the Identifier is the same then definitely Replication will not work, you won't be able to register the secondary to the primary if the license is the same. The good part is that you have the other license, you only need to install it.

However I have more bad news, the only way to re-install a license file in ACS 5.x is using the CLI command "acs reset-config" but it will also delete the entire configuration that you have on this server except the network configuration (IP, default gateway, DNS, etc.)

After this command is entered if you try to access the GUI you will need to use the default username/password which is acsadmin/default, then you will be prompted to browse for the license file.

Here is a document with all this information just in case you need it:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/my_wkspc.html#wp1052906

View solution in original post

Highlighted

Mauricio,

First of all, thank you for being so responsive and helping me out with this.  You don't know how much I appreciate your guidance in what to do here.  Sorry for the late response...I was out of the office yesterday.

Well, here's the scoop.  For almost two days, I've been trying to download the ACS_5.3.0.40.tar.gz file to do the upgrade.  The download has been stuck at 54%.  I think our IPS is blocking the download from completing, so I'll have to check with the network manager to make sure the IPS is not blocking the app from downloading.

Today, as I try and re-start the download, I'm going to SSH into the ACS CLI and issue the acs reset-config command and bump it back down to 5.2 or 5.1 (can't remember what the initial version was unboxed).  Because my primary is configured correctly and working, re-configuring the secondary won't be that hard at all.  Nice to know I can start fresh on the secondary without having to mess with the primary that's working.

Thank you for the document.  I will go over it today and get the secondary back up to par with it's own license and identifier.

I will keep you posted to the progress of this issue.  Again, thank you.

Y

Highlighted

Mauricio,

Is there a way you can attach that file?  I'm getting an Forbidden File or Application from the cisco site.

Thanks much!

Y

Highlighted

Yvonne,

Let me attach the PDF file for you.

Highlighted

Yvonne,

I don't see an option to attach a PDF file unfortunately, let me try to send you the link again

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/my_wkspc.html#wp1052906

Or

http://tools.cisco.com/squish/89AaE

Also try to log in to the Cisco page first.

Highlighted

Hi Mauricio,

I hope you had a great weekend. 

Upon trying to open the PDF from both links, I still received the Forbidden File or Application even after logging into the cisco site as well.

I do, however, have another question.  If I upgrade my primary ACS from 5.2 to 5.3 (secondary is at 5.3), which is doing AAA against our switches and routers, will the upgrade wipe out my current configuration, such as all the identified devices I have setup within the UI?  Or will it just upgrade in the 'background,' so to speak keeping all my configuration the same so that I won't have to re-configure everything?

I have the tar file downloaded...I just didn't want to proceed with the upgrade until I knew the answer to this question...like you said earlier, doing the acs reset-config command via SSH CLI to reset the Identifier would wipe out all of the configuration, but would just doing the upgrade from 5.2 to 5.3 do the same?

Thanks,

Y

Highlighted

Hi Yvonne,

There are two ways to upgrade the ACS 5.2 to 5.3:

1. Using the tar file

2. Using ISO file

The first method will upgrade the system keeping all your configuration settings. The second method requires to burn the ISO file into a DVD and use this disc to reimage the unit with 5.3 code, this obviously will delete everything from the unit.

I prefer the second method because before the upgrade if you  collect a backup of ACS 5.2 then after the reimage you can restore this backup and all your configuration will be in the ACS 5.3. Even though looks like it requires more work the process is way more clean than the first method (I've had multiple random issues using the first method).

Whatever the method you decide to use is highly recommended to collect a configuration backup just for security reasons, here is the command:

ACS# acs backup repository

Let me know Yvonne if I can help you with something else.

Highlighted

Mauricio,

You are absolutely wonderful!  I was able to upgrade the primary from 5.2 to 5.3 using the tar file and was able to register the secondary to the primary for replication after the upgrade AND after doing the acs reset-config command on the secondary to clear out the Identifier that was the same as the primary.  I registered the second license onto the secondary, which in turn changed the Identifier and everything is functioning as it is supposed to, thanks to you!

The way I have it setup in the running-configs of the switches and routers is the IP address of the primary followed by the second for AAA.  If the primary were to fail, the secondary should just kick in, correct?  As of now, within the reporting logs, I'm only seeing information regarding AAA for the primary.  I hope that if for some reason the primary fails, the secondary should just take over for the primary, correct?

Please advise.


Thanks,

Y

Highlighted

Yvonne,

I am glad to hear the good news.

The devices (routers, switches, etc.) will try to contact the first AAA server configured, if there is no response from the primary then they will try to authenticate against the seconary server.

Now in a Distributed Deployment one server is the Log Collector, the Log Collector role is assigned to the primary by default but it can be manually changed to the secondary, what it does is to collect and maintain all the logging information, even if the authentication requests are pointing to the secondary the logs will be displayed in the primary because it is the Log Collector.

How you can identify which server is authenticating the users? In the logs for passed/failed there is a column with the name "AAA Server" this column will let you know which AAA server is receiving the authentication requests.

If you have any other concern Yvonne then just let me know XD.

Rate if it helps.

Highlighted

One more thing...do you know if the 5.4 version that was released 23 October 2012 is stable enough to apply to the servers?

Content for Community-Ad