cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
628
Views
5
Helpful
4
Replies

ACS replication through FWSM

p.stavrinou
Level 1
Level 1

I have a problem replicating ACS database through an FWSM blade. The primary ACS is under a Mgmt zone in the FWSM. A secondary one, located in the same zone receives replication with no problems. All others that sit outside the Mgmt zone do not receive replication. TCP 2000 required for replication is open along the path. I can see the sessions initiated on the FWSM through CSM, but these sessions expire after the replication timeout and are closed by the FWSM. No trace of connections reaching the secondary ACSes appears in the Database replication log of the receiving ACSes. Any caveats on this issue? NAT shouldn't be an issue here since no NAT is performed along the path. Any ideas?

Thanks

Panos

1 Accepted Solution

Accepted Solutions

ASA/FWSM uses TCP port 2000 to inspect the skinny protocol.This can result in

failed replication

Try

no fixup protocol skinny 2000

If its not possible for your environment then

1. create an ACL for traffic you want to enable skinny inspection

2. create class-map to match this traffic

3. In global policy, take the skinny inspection out of the class inspection_default, and add it to the class we created in step 2.

Thanks

Syed

View solution in original post

4 Replies 4

smahbub
Level 6
Level 6

Cisco Secure Access Control Server (ACS) is a powerful tool that allows network administrators to centrally manage AAA (authentication, authorization, and accounting) on a wide range of Cisco devices. You can deploy an ACS server in a standalone configuration or in a redundant topology. In order to provide failover capability, two or more ACS machines share database components at preconfigured times.

Refer the following url for more information on "Secure ACS Database Replication Configuration":

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml

ASA/FWSM uses TCP port 2000 to inspect the skinny protocol.This can result in

failed replication

Try

no fixup protocol skinny 2000

If its not possible for your environment then

1. create an ACL for traffic you want to enable skinny inspection

2. create class-map to match this traffic

3. In global policy, take the skinny inspection out of the class inspection_default, and add it to the class we created in step 2.

Thanks

Syed

Syed,

Removed the skinny protocol from the inspectio list and worked like a dream! Thanks for the advice.

Panos

purohit_810
Level 5
Level 5

Are you able to PING from One ACS to another ACS server?

Are you doing replucation by server name of IP address?

If server name: Check your wins IP addresses.

Are you using with server, EX: windows 2003 or 2008?

Check server's internal firewall.

Port that is required 2002 as of my knowledge.

If you are able to open both servers from vice versa, by browser. You should be able to do replication.

Did you check repication is automatic or schedule?

these are all about i think enough for replication.

Check switch's Access-list.

Thanks,

Dharmesh Purohit

Review Cisco Networking for a $25 gift card