Solved: Upgrade ACS 5.1 to 5.3

Abdullah Hashim · ‎07-06-2013

Hello all,

I need to upgrade our ACS 5.1 to 5.3 after I see this Dockment from cisco this Doc is more complex

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_upg.html#wp1199421

I don`t understand any think Please help me to answer my question

1- we have 2 Server primary und secondary with which one should i start to upgrade?

- in the obove Doc began with

Upgrading an ACS Deployment from 5.1 to 5.3

2- sholud I start use this method ACS Deployments to upgrade or sholud i use only Upgrading an ACS Server from 5.1 to 5.3 ?

3- frist i must backup my Server how to Backup both Server from ACS Server web page or Should I use ony command Line?

- from this command

Step 1 Back up the ACS data from the ACS 5.2 server.

Step 2 Enter the following backup command in the EXEC mode to perform a backup and place the backup in a repository.

backup backup-name repository repository-name

4- what is A Repository-name and how can I find it

5 - Also

acs patch install patch-name.tar.gpg repository repository-name

- Idon`t know what that mean

Note

Before upgrading any secondary server, you need to deregister it from the primary server.

6 - what that Mean, what is deregister ?

7 - can I meake this Upgrade from ACS Administration Webpage

8 - If i need to upgrade our ACS should from CMD i must install FTP server ? how to install FTP Server in ACs or how to tell ACS server about this FTP

thank you all for help

AHA

Jatin Katyal · ‎07-08-2013

Tarik, Very nice reply +5

Hello Abdullah Hashim

You need to start with secondary. If it's a log collector then move it to primary for a time being, once the upgrade is complete, move it back to secndary and upgrade the primary box.

It's recommended to apply latest patch on the current version (to avoid any known issues) before you upgrade the ACS to 5.3 or 5.4

You're already running the latest patch of ACS 5.1 (i.e patch 6) so you don't need to install any other patch. ACS patches are cumulative so no need to install the previous patches. The latest one should have fix for all defects.

Let me know if you still have any questions.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎07-09-2013

You need issue "show application status acs". This would show you below listed processes. The view database shows that the box is acting as a log collector. On the other box, you'd see only 4 process running.

•Database

•Management (ACS management subsystem)

•Runtime (ACS runtime subsystem)

•View-alertmanager

•View-collector

•View-database

•View-jobmanager

•View-logprocessor

In order to change log collector, you need to go to Primary ACS || Monitoring and Reports || Monitoring Configuration || Log Collection || change log collector.

Yes, you should de-register them and upgrade your servers as a standalone server. Once upgrade is completed successfully, you may register again and replicate.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Tarik Admani · ‎07-06-2013

Hi,

My answers are inline to your questions -

Hello all,

1- we have 2 Server primary und secondary with which one should i start to upgrade?
- Do you have one of the servers acting as both the log collector and as the primary acs server? The document states that you must first promote the non-log collecting server as the primary, this can be done through the deployment operations tab and the promote to primary should be present, please attempt to do this during a maintenance window.

- in the obove Doc began with
Upgrading an ACS Deployment from 5.1 to 5.3

2- sholud I start use this method ACS Deployments to upgrade or sholud i use only Upgrading an ACS Server from 5.1 to 5.3 ?
- The document prefers that you use the application upgrade file which must be placed on a repository (I have had the best luck with ftp), and the upgrade is done through the cli but issuing the "application upgrade" command.

3- frist i must backup my Server how to Backup both Server from ACS Server web page or Should I use ony command Line?
The backup can be run from both the gui and the cli *of the primary node* backup operations are disabled on the secondary acs. The command that runs the easiest is "acs backup..." you will have to visit the acs command line reference guide for the exact syntax or you can use the "?" to guide you through the command syntax.
- from this command Step 1 Back up the ACS data from the ACS 5.2 server.
Step 2 Enter the following backup command in the EXEC mode to perform a backup and place the backup in a repository.
backup backup-name repository repository-name4- what is A Repository-name and how can I find it

A repository is a file server that you would want to point acs too, my recommendations are ftp if this is ok with your security guidelines, you can also use sftp but i am sure in acs 5.1 there is a bug around large files and sftp but you may need to look at the open caveats section in the acs 5.1 release notes to be sure.

You should be able to consult the command reference guide (repository ...).

5 - Also
acs patch install patch-name.tar.gpg repository repository-name
- Idon`t know what that mean
-- This is the command that is used to install the patch on acs, the patch-name is the name of the file you download from cisco. the repository name is the server that has the file present for the acs to download.

Note
Before upgrading any secondary server, you need to deregister it from the primary server.

6 - what that Mean, what is deregister ?
- When you have a distributed setup this means that there is a primary server and a secondary server, when you make any changes to your acs environment that is done through the administration node which is then replicated to the secondary node. In order to do the upgrade, you have to deregister the node from the primary node in order to do the upgrade.

7 - can I meake this Upgrade from ACS Administration Webpage
--No you can not upgrade ACS through the web gui this is done through the cli, the same goes for patches.

8 - If i need to upgrade our ACS should from CMD i must install FTP server ? how to install FTP Server in ACs or how to tell ACS server about this FTP

Here is the command reference guide for you version of ACS - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html

Also it is best to install the latest patch on the acs before upgrade to a different version. What is the patch level of your acs? You can find this out by issuing a "show version" that should give you the output of any installed patches.

Upgrading acs is a delicate process if you are not comfortable with upgrading acs you should open a tac case and have the experts guide you through the upgrade process.

Thanks,
Tarik Admani

Sent from Cisco Technical Support iPad App

Abdullah Hashim · ‎07-08-2013

hallo all again

thank you tarik for you answer but i still have A problem with the frist question

should I start with Prim oer with Sec Server to upgrade

what did you Mean with

#######

Also it is best to install the latest patch on the acs before upgrade to a different version. What is the patch level of your acs? You can find this out by issuing a "show version" that should give you the output of any installed patches.

##########.

did you Mean that we have now ACS 5.1.0.44.6 should I install all patch for ACS 5.1 and that upgrade to 5.3

Jatin Katyal · ‎07-08-2013

Tarik, Very nice reply +5

Hello Abdullah Hashim

You need to start with secondary. If it's a log collector then move it to primary for a time being, once the upgrade is complete, move it back to secndary and upgrade the primary box.

It's recommended to apply latest patch on the current version (to avoid any known issues) before you upgrade the ACS to 5.3 or 5.4

You're already running the latest patch of ACS 5.1 (i.e patch 6) so you don't need to install any other patch. ACS patches are cumulative so no need to install the previous patches. The latest one should have fix for all defects.

Let me know if you still have any questions.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Abdullah Hashim · ‎07-09-2013

thank you Traik and thank you Jatin for help

how to know if the Secondary Server is the log collector Server from command line

and how to change this from command line also (we have a problem with our server from all Browser (firefox and IE and chrome)

know i understand that: we upgrade first the log collector Server

- start to upgrade with Secondary Server (Upgrading the Log Collector Server)

- move the log Collector to Primary Server and than upgrade it

- after upgrade is complete move again the log collector to Secondary Server

- but we must first make a Deregister from Primary Server to make every Server as standalone

Serve

- than register the Secondary Server again to Primary Server after i move the log collector to him

- I mean we upgrade every Server as standalone Server after we move the log collector to this Server

thank you for help again

Jatin Katyal · ‎07-09-2013

You need issue "show application status acs". This would show you below listed processes. The view database shows that the box is acting as a log collector. On the other box, you'd see only 4 process running.

•Database

•Management (ACS management subsystem)

•Runtime (ACS runtime subsystem)

•View-alertmanager

•View-collector

•View-database

•View-jobmanager

•View-logprocessor

In order to change log collector, you need to go to Primary ACS || Monitoring and Reports || Monitoring Configuration || Log Collection || change log collector.

Yes, you should de-register them and upgrade your servers as a standalone server. Once upgrade is completed successfully, you may register again and replicate.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Abdullah Hashim · ‎07-09-2013

Thank thank man for this Info

my last question

- must i do this( Upgrading the Log Collector Server )

- or i can direct Upgrading an AC'S Server Using Application Upgrade Bundle

# application upgrade ACS_5.3.tar.gz repository-name

what happen if i upgrade ACS Server Using Application Upgrade Bundle without using

Upgrading the Log Collector Server method

thank you again

Jatin Katyal · ‎07-09-2013

I didn't understand your question completely. what you mean by upgrading the log collector server?

yes, we need to use application upgrade bundle one by one on both servers once they are in standalone mode.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Abdullah Hashim · ‎07-22-2013

hallo all again,

Please again answer my question

from ACS Primary ::

ISMACS02/admin#

ISMACS02/admin# show application status acs

ACS role: PRIMARY

Process 'database' running

Process 'management' running

Process 'runtime' running

Process 'adclient' running

Process 'view-database' running

Process 'view-jobmanager' running

Process 'view-alertmanager' running

Process 'view-collector' running

Process 'view-logprocessor' running

from Sec Server I see only : #

ISMACS01/admin# show application status acs

ACS role: SECONDARY

Process 'database' running

Process 'management' running

Process 'runtime' running

Process 'adclient' running

----------------------

know I know that the Primary ACS is the Log Collector Server <<< is that true

Q: during the upgrade what i understand is I must upgrade a standalone if this Server as a Log Collector Server

I mean I upgrade every Server when this Server have the Log Collector file

thank you again

Jatin Katyal · ‎07-22-2013

Yes that is true, your primary server is acting as a log collector because we can see the view-database services running on primary server.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Abdullah Hashim · ‎07-23-2013

hallo,

thank you Jatin for confirm

so that Mean my Step to upgrade is:

- BAckup my system to tftp : backup-file-name repository repository-name

- Promoting a Secondary Server to Primary

- Deregister both Server

- Upgrading the Log Collector Server (primary server) the Sec Server work now as Primary

- Install all Patchs file

- again register both Server

- change the log Collector to Sec Server

- Deregister both Server

- Process again the upgrade for Sec Server and install Patchs

- again register both Server

thank you again for confirm