5.2 Cisco ACS system alarm [Collector]
Hello
I have a problem with my ACS 5.2 General reports, if anyone can help would be great.
We have two ACS 5.2 primary and secondary. Both work fine, but have an alarm to the General reporting system.
list '(too long) value '.
I have attached the screenshot of this error.
At this point, we use GANYMEDE device of authentication only, no RADIUS. These servers are sync both conf are the same.
Don't know what exacly causing this system error, can anyone help on this.
Thank you
David
This has been observed when an accounting packet is received on the device of the ACS and lacks the attirbute class. However it is a cosmetic issue and there is no bug on this. If you want to have someone look at this and addressed if please collect newspapers of debugging at the level of DURATION and mgmt-acsview newspapers and open a service request on when the problem occurred.
You can do SSH to GBA, then issue the command acs-config, connection with web references, and then publish a newspaper of the show debugging, if all levels are set to warn, then issue-journal of debug runtime level perform a debugging, debugging acsview mgmt-debug log level.
Repeat for both servers, once the error is present, please download a package of support.
Please open a service with this information request and we will be more than happy to help.
Thank you
Tarik Admani
Tags: Cisco Security
Similar Questions
-
Failure alarm [Collector] store ACS5.1 (DCACSBGLR, TacacsAccounting)
Hello
Recently I sent ACS5.1 to a Subscriber. We often receive the following alarm in the Inbox.
Cisco Secure ACS - Alarm Notification
Severity: criticalName system alarm [Collector]
Failed to trigger/cause store (DCACSGKOL, TacacsAccounting)
Alarm details please see newspaper Collector for more detailsGenerated on Fri August 13-14:25:59 UTC 2010
Please suggest the solution in order to understand and to get rid of this alarm. Thank you...
Been checking autour and found more CDETS which seems to be related:
CSCte88357: ACS5.1 RADIUS Accounting Report is missing some attributes because of char NULL
This problem will certainly cause and failure store alarm although I can't confirm this is the same case.
If that's the question a fix is available in the hotfix rollup 5.1.0.44.3 available for download on ORC
-
Cisco ACS 5.3 patch 8 Volume OPT
Hello
We currently have 12 ACS unit with one of them being a dedicated newspaper collector. We have authentication of 802. 1 x configured for network and Wi - Fi ports. We are authenticating desktop, laptops, smart phones, etc. on our network.
The problem we have is the volume of the OPT exceeding 30% volume size recommended by Cisco TAC after a few months. We have recently added more resources on our network (fusion). We are now on the size of 30% in about 1 month.
In the past, we called Cisco TAC when we had problems with performance Log Collector. It's time was also authenticate clients 802.1 x. We have added a new device and is a dedicated Log Collector. They would check the volume of the OPT and to find that it was about 70% use the size. They launch the Console Root patch and delete the DB and then re-create. We did about 2 times before starting to monitor the size of the volume OPT.
This last time, we ran in the 30% the size of volume more rapid then we had previously. I got a Cisco TAC volume of the OPT to delete and recreate it.
Cisco TAC recommended that we reduce the amount of logs that are sent to the collector of the newspaper. We are currently investigating this option.
The questions I have is:
What percentage of size for the volume of the OPT should be concerned until it starts impacting on the performance of the Log Collector?
Is there another thing we can do to reduce the amount of logs that are sent to the Log Collector?
We have data purge set to 30 days. We are complete and incremental database backups. We also have local send logs to a Syslog server.
We test them make changes to send only AAA Audit logs and statistics system of Log Collector.
Thank you
In the distributed configuration, its recommended to set up a secondary server dedicated as a collector of newspaper. However you have a large deployment, so I'm sure that authentication rate would be too high causing Dungeon size view-basic data on the increase.
In order to avoid running out of disk space, we need to manage. This means identifying the files that are created and written by processes on the system, allocate a budget to space them as if the files remain in their budget all the services can be supported without interruption, then define and implement the necessary facilities so that these files in their budget.
There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
1. air scan: this mechanism the data will be purged based on the retention period of data configured or arriving at the upper limit of the database. In Patch 6 new provided option to demand purging as well.
2. compress: this mechanism frees up unused space in the database without deleting all records. Before the compress option can only be performed manually. GBA 5.3 Patch 6 there are improvements so it will automatically work every day at a preset time, when specific criteria are met.
What percentage of size for the volume of the OPT should be concerned until it starts impacting on the performance of the Log Collector?
The TAC recommendations are right. You will be able to use all the ACS function if / opt is less than 30%.
Is there another thing we can do to reduce the amount of logs that are sent to the Log Collector?
It seems that you use most of the features/mechanisms to have / low opt. However, you may be interested to read more about scrub data and data compression improvements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
S ' Please use System Administration > Configuration > journal Configuration > Logging categories > Global to configure only the logs required the sending to the ACS View log-collector.
-Provide the cool screenshot of the page Configuration Monitoring > System Operations > Data Management > removal and backup.
-With the below listed command you can check real and physical terrain database size
ACS-config
Username: acsadmin
Password: *.
acsview show-dbsize
There are some known defects on the same subject. However, the version you use improves database management process.
CSCto47203: ACS 5 runs out of disk space
CSCua51804: see backup fails even when there is disk space
Jatin kone
-Does the rate of useful messages-
-
Problem with certifcate on Cisco ACS
We want to authenticate our internal wireless users using our Cisco ACS running 5.3. GBA questions our Active Directory environment for the user name and password provided. I created a CSR on GBA and it provided to Entrust. They gave me a root certificate, string and server. I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates. I then added the chain and the root certificates to the users of the site and identity stores > autorités. When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below. This certificate is to Entrust and I see the certificate root in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have all the answers. They say it's a problem of the client machine.
In case you want to check your configuration settings.
http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml
~ BR
Jatin kone* Does the rate of useful messages *.
-
Cisco ACS SE "set ip" error: could not set up new NETWORK card configuration.
Hello
I get the error "error: could not set up new NETWORK card configuration." When I try to set the IP ACS SE.
When I called into the device image and tried to do an initial installation, the IP to not hold after the restart and went back to the default value.
I went by NetPro and apparently it is a common problem. One person it is solved re-imaging unit, but who has not worked for me.
Someone there with a solid solution? I use NIC 1 FYI.
EDD.
Ed,
Please make sure that if ACS is associated with active before setting Ethernet connection
or change the IP address of your ACS system engineer.
Kind regards
~ JG
-
Cisco ACS 4.1 for external advertising for authentication
Hello
We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.
Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.
Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.
Could you please help us to isolate the problem.
Thank you & best regards
Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.
Kind regards
~ JG
-
Cisco ACS 4.2 1113 Recovery DVD
Nice day!
We have CSACSE-1113-k9 Cisco ACS 4.2 device 1113. And we need to reimage (restore the device to its original state). Can enyone help me with the correct link software.cisco.com image recovery DVDs?
I'm trying to find it, but I can't see recovery dvd:
Hello
As far as I know, you don't have the possibility to download cisco.com ACS recovery DVDs. You can contact Cisco TAC and they can publish the software for you.
Note If useful...
Kind regards
Kush
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
Cisco ACS installation problem
Hello everyone.
I have Cisco acs 4.2 on windows 2008 64 bit installation and get a very strange error when installing. V: ismg_israel_acs it gives some encryption error.
Can someone please help me on this who have encountered the same problem. My project is stopped cause of it.
Thanks in advance.Sent by Cisco Support technique Android app
Hi Rizwan,
If you're upgrading some version prerequisites ACS then I think you get something like this V:\ismg_israel_acs\Acs\Crypto\init.cpp
You need to locate the old CryptoAPI container used by ACS, which may still be on the system. This is normally located in C:\Documents and Settings\username that installed ACS> \Application\Data\Microsoft\Crypto\RSA.
There will be one or more files will be very long filenames hexdecimal. You must identify the right one.
Open a command prompt in that folder and type "findstr /I CiscoSecure *.» ' * ' - the file name that appears should be the
old container of ACS.
Let me know if you will be able to search for any file.
~ BR
Jatin kone* Does the rate of useful messages *.
-
[Cisco ACS] Memory usage limit
Hello
We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10
The main server manages authentication 20000 + per day.
Its memory usage is growing every day.
It's now 83%
Is there a limit?
What happens when memory use reaches this limit?
What can we do to purge the memory usage? (reboot, restarting the service...)
Thanks for your help
Patrick
Check the secondary collector newspaper. This will help to balance the load between the two nodes and you will see the memory usage decreases.
Thank you
-
Cisco ACS 4.2: Question about the license...
Dear Sir
When I started this project, we start with the demo available on the Download Center on Cisco.
We have purchase a license and we expect the CD/DVD with the license.
But... How can I convert the 'demo' to a licensed version?
Should I reinstall Cisco ACS?
How the license is supplied, is a registry key? A small file?...?
Thanks in advance,
Make a backup of the current configuration, you want to keep it.
System configuration > backup ACS > backup now.
Then when you get the full version, just run the setup and it automatically detects the trial version, and invite you, if you want to keep the configuration or not, checks to keep the configuration and move forward. And you'll have improved trial full version.
There is not the registry keys concerned.
Kind regards
Prem
Please rate if this can help!
-
Cisco ACS 5.2 VMware 'Management' process hangs
Hello
We recently purchased the Cisco ACS 5.2 VMware must be installed on VMware ESXi 4.1. However, after commissioning the virtual machine with the requirements set out in the Cisco installation guide, GBA is unable to start properly.
We don't get messages visible error, but when checking on the process of the CSA, I see that the process of 'management' is suspended in the "initializing" State
Any ideas how to solve this problem?
Thank you
Gilbert
ESX 4.1 is not supported with ACS 5.1
Virtual Machine requirements
The minimum configuration for the virtual machine must be similar to the hardware configuration of the server series CSACS-1120.
Table 6-1 lists the minimum system requirements to install ACS 5.2 on a VMware virtual machine.
Table 6-1. minimum system requirements
Type of requirementMinimum requirementsCENTRAL PROCESSING UNIT
Intel Core2; 2.13 GHz
Memory
4 GB OF RAM
Hard drives
500 GB of disk storage
NIC
1 GB NETWORK interface
Hypervisor
VMware ESX 3.5 or 4.0
Installation of ACS 5.2 on VMware
Kind regards
Jousset
-
Cisco ACS 4.2: The most important to back up files?
Dear Sir
Can you tell me what are the most important files to back up in the Cisco ACS directory?
Currently, I am only backup (with Symantec Backup Exec):
C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups
* But, I would like to know if my server crash, can I restore the entire configuration with the files listed in the directory below? (Users, groups, groups of devices, AD, mapping, users, groups,...)
* The Cisco ACS there change in the Windows registry?
* Is it necessary to reinstall the Cisco ACS, if I need to put in an emergency on a new server? I guess Yes, because the installation creates services, etc.
I ask this question because it takes time to install the patches...
* Or, can I save all the Cisco ACS directory... On a new server, install the Cisco ACS and restore the backup?
Thank you very much for giving me your experience about it.
Kind regards
You should back up the files that come from ACS backups, i.e.
System configuration > backup GBA, the location that is specified in this section.
And the default location is the one that already save for example "C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups"
In case you are required to host ACS on a new server, you would be required to re - install the complete application of the CSA and then simply take the last backup and restore in the newly installed ACS. It will be to restore everything users, group etc. to etc. of the external database mappings.
When you install ACS on a new server, then make sure that if you run them Services ACS with a service account (this is required for the authentication of the window according to your requirement), you would be required to run new services with this account too, and which may require that go you through the following documentation.
Kind regards
Prem
Please rate if this can help!
-
Configuration of the Cisco ACS Radius
Hello
I'm trying to set up authentication radius on cisco ACS but short question. When I set up my group of network devices in the configuration of the AAA Client as one of ray device groups, my authentications fail with authentication as a failure code"
CS invalid password' but when I change my group of devices to "Unassigned", everything started working.
On my AAA client, when authentication fail, I see
Server RADIUS
audit package fails: Please note that the AAA client is a non-cisco device.
Any suggestions?
It seems that you run ACS 4.x. You are facing this problem because the key is set on the excessive rides of the level (Group of devices network XYZ in your case) NDG key at the level of the AAA client. Please make sure that you don't have different secret key on the client inside the NDG AAA and on the NDG himself.
Not affected is working because it has no key defined in the NDG.
"Each device that is assigned to the network device group will use the shared key you enter here. The key that has been attributed to the device when it has been added to the system is ignored. If the Enter key is null, the key of the AAA client is used. »
~ BR
Jatin kone* Does the rate of useful messages *.
-
The upgrade to Cisco ACS SE and Remote Agent
Hello
Currently we are upgrading the PDC to Windows Server 2008, Standard Edition R2.
I am little confused with information available for upgrade scenarios. Appearing on the current working versions.
Cisco ACS SE - version 4.1 Build 23 5 Patch 1
Cisco ACS Remote Agent version 4.2 (0.124)
The new operating system will work on 64-bit, I think that the current ACE SE and the remote agent can / must be upgraded.
My existing versions, give the possible scenarios of upgrade available for me. After that upgraded SE and Remote Agent should work for the 64 bit OS.
Thanks in advance!
Yes, it is not possible to upgrade the ACS ACS 5.2 existing to level 4.1. They are two different boxes run on a different platform.
Unfortunately ACS 4.x does not support windows 2008 r2.
5.2 ACS is the only option left, and you will need to buy a new box of seprate with the new licnese for this.
Concerning
Bellefroid
Note the useful messages
Maybe you are looking for
-
Today, I updated for Sierra and updated to the latest version of the Pages. Now I find that I am more able to select a line of text. When I try to do, I find myself with an insertion point where I stopped by selecting, but nothing is selected. This i
-
How to choose a group of mss separated from delete or move?
I just want to know how to select multiple messages, non-contiguous.
-
Can I upgrade my current MacBook Pro or buy a new one?
Model MacBook Pro 13 inch 2010 Processor 2.4 GHz Intel Core 2 Duo RAM 4 GB 1067 MHz DDR3 Graphics NVIDIA GeForce 320M 256 MB Storage HARD DRIVE 250 GB OS X 10.10.5 Yosemite Hi, I have looked at upgrading my current laptop with some much needed perfor
-
Satellite SA60-117 wireless lan
HelloSA60-117 is standard no adapter wireless network, but it has a location to place a mini-PCI - card (?), see at the bottom of the cover.It's a prop, you can buy and place later (where-of/how) or is it just for the other models SA60?Now I use a PC
-
Digital reading Pulse with PCIe 6509
Hi all I'm trying to decode an infrared control using the PCIe 6509, but I've no chance that a signal from a remote control. It seems that when I use the VI of change detection, it does not generate the interrupt, but it cannot produce enough it fast