Hi Jatin,

Yes, I have checked the dberr.log and there are errors which show "Unknown encryption algorithm"

Thank you Jatin! - I will give that a try soon. 

BTW - It is odd that all the ACS 5.x bugs are listed under "Cisco Secure Access Control Server Solution Engine" which is the old ACS. It should be listed under "Cisco Secure Access Control System" shouldn't it ?

(It makes these bugs hard to find if you don't know)

Many Thanks

Just wanted to let you know that ACS 5.5 patch 2 is out and available for download. Please try and apply it and post your feedback back.

Regards,

Jatin Katyal

*Do rate helpful posts*

Hi,

I have a question regarding the upgrade. If I have to reimage the ACS (in the 5.2 to 5.4 migration) do I need to buy new license?  In my situation one ACS is running on VM ware and other one is appliance. both are currently running with ACS 5.2. Also I would like to know can I use same app bundle downloaded for the VM ware version for the appliace also?  I am new with ACS and please help with your expertise.

Thank you very much

Kind regards

Chamara

Hi Chamara, The base v5 licence covers all current versions of ACS from 5.0 to 5.5 so you should not need to purchase a new licence. If you are running your 2 ACS servers as a Primary and Secondary (distributed deployment) then you should have 2 separate licences as you cannot use the same licence in this type of setup.

All the application bundles are the same whether you are using an Hardware appliance or a Virtual Appliance.

Thank you rodmunch999. One more question regarding the upgrade since you are familiar with that.

I have 2 ACS primary and secondary. Cisco says upgrade the secondary first. at the mean time it said "To ensure that you preserve the local certificates of the secondary server, you should promote each secondary server to the primary role, and then perform the ACS 5.4 upgrade."

it's conflicting with each statements. what is the correct way I should follow.

Also how can I keep my log collector while the upgrade process? Do I have to keep it on primary until the secondary server upgrade done and after the old secondary has upgraded to 5.4 can I redirect logs to new 5.4 (old 5.2 secondary) ACS server?

Cisco said "Register the secondary server to the ACS 5.4 primary server" . But when I upgrade my Secondary first there is no 5.4 primary at my environment. So how can I do this?

Thank you again for your valuable time and advises. Much appreciate all the time

Kind regards

Chamara

It's little confusing. I'd suggest that split the deployment and let both servers as standalone. Upgrade in an order you want and register the secondary back to primary.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_upg.html#82117

Before you upgrade, I'd also suggest you to take backup of your certificates with private key file.

Regarding licensing you can read it here. However, I agreed what Rod has suggested you.

http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/product_bulletin_c25-718293.html

Regards,

Jatin Katyal

** Do rate helpful posts**

I have read http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_upg.html#82117

That is confused me. thats why I asked about the procedure. :)

if I go to System Administration > Operations > Distributed System Management

then  if I remove secondary from the primary, will both servers become  stand alone servers and state into local mode?

thank you

Chamara

Your understanding of the issue is correct. You need to de-register the secondary by login to primary  System Administration > Operations > Distributed System Management.

check the check box next to the secondary instance that you want to de-register.

Click Deregister.

The system displays the following message:
This operation will deregister the selected ACS Instance from the Primary Instance.
Do you wish to continue?
Click OK.

The deregister process may restart the services of secondary server.

Regards,

Jatin Katyal

** Do rate helpful posts **

Hi Chamara, The way I understand it is you can only upgrade a Primary server. So before you start the upgrade you must detach the Secondary from the Primary so you will be effectively upgrading 2 Primaries. Once the upgrade is completed on both servers you can then register your original Secondary server to the Primary

I am not sure what will happen to the logs from the Secondary server when it is re-attached but I am assuming this will only happen during the upgrade so you should lose much data (if any)

Cheers Dave

Thanks a lot Dave.  I'm just trying to follow your steps taken to upgrade 5.2 to 5.4 .  I hope your migration was successful. Since my environment is critical and I just only have two days(approved by management) to do upgrade I do not want to make any mistake ever.

one more thing to ask. Do the database compress is necessary for upgrade or can I just put that step away?

Thanks again for help

Kind regards

Chamara

Hi Chamara, I have successfully upgraded a hardware appliance in the lab from 5.2 to 5.5 but when I tried it in the production environment on a Virtual appliance it failed.(Not sure why yet) I am waiting to get a valid support contract arranged so I can raise a TAC case. I have upgraded a couple of ACS in production from 5.3 to 5.5 successfully as well but that is not a staggered upgrade like 5.2.
I would say that a database compress is quite important although it's not listed in one of the steps in the readme. If your ACS has been in place quite a while with a no log maintenance then this can increase the chances of a upgrade failure. All I can say is make sure you have a valid support contract in case things go wrong and allow for direct console access in your change.