ACS 5.3 view-logprocessor unguarded
Hi all
After an upgrade of ACS 5.1 to 5.3 the logprocessor view are not more.
I also installed the latest patch 5.3.0.40.1. Facilities are successful, but steal it view-logprocessor do not work.
Anyone have any suggestions to solve this problem.
Thanks a lot for your comments
René
Hi Rene
just for the others in the forum, the solution is to back up your real configuration of 5.x ACS and rebuild image the ACS unit with the ACS 5.3 ISO file. After that you can restore the previous backup and this will solve your problem.
Best regards
Dominic
Tags: Cisco Security
Similar Questions
-
ACS WORKS, BUT NOT THE GRAPHIC WEB INTERFACE
I have a worm ACS 5.4.0.46.7 running on a device, ACS-1121-K9. After the restart of a Win2008 controller it has stopped working and someone in my Department and restarted the ACS. It seems that authentications are working now, but I can't access the web gui. It answers ping and ssh. I did a web show acs-config-Interface and the display Interface has been disabled, I allowed him but it still does not work:
TBGACS02 / admin # show interface web-config-acs
interface of migration is disabled
the UCP interface is disabled
display interface is enabled
REST interface is disabledTBGACS02 / admin # display the status of the acs application
Role of the ACS: PRIMARY
Process of database ' ' running
Treat the race of 'management' (HTTP is insensitive)
Unguarded "runtime" process
"Adclient" process running
'Ntpd' running process
"View-database" running process
The "view-jobmanager" process execution failed
"View-alertmanager' running process
"Notice-collector' running process
"View-logprocessor' running processI could try to restart again, but I'd rather not if possible...
Hello
Can you try 'application acs stop' and then start CSA application and see if that solves the problem?
If this isn't the case, then I suggest to take a show technician and support bundle, prosecute with TAC.
Kind regards
Kanwal
Note: Please check if they are useful.
-
The physical size of ACS db is more than 50% of its actual size. (ACS version: 5.5.0.46)
Since the Migration to ACS 5.5.0.46 we continue to see the following message appears in the Inbox of alarm
Cisco Secure ACS alarm (REVIEW): the physical size of ACS db is more than 50% of its actual size.
Cisco Secure ACS - Alarm Notification
Severity: critical
Name of the alarm
System alarm [purge the database]
Cause/trigger
The physical size of ACS db is more than 50% of its actual size.
Alarm details
The physical size of ACS db is more than 50% of its actual size de.the size will be reduced after the purge ACS transaction log and compress ACS db.
September
Mon Mar 17 05:00:06 THIS 2014
ACS view Compression and backup database is set up and runs without error:
The work of backup stores a maximum of 4 months to a FTP server.
Backup: monthly
Incremental: weekly
DB: Compression enabled
Purge and incremental backup history Name Start Time End Time Status DatabasePurge-Job Mon Mar 17 04:00 THIS 2014 Mon Mar 17 04:00 THIS 2014 Completed as far as I can see the CLI avoid a DB oversized:
ACS21/acsadmin(config-ACS) # acsview show-dbsize
Actual size of DB (bytes): 1585192960
Real DB size (GBs): 1.48
DB size (bytes): 1605386240
Physical size DB (GBs): 1.5
Physical ACSviewlog file size (GBs): 0
Output ACS21/acsadmin(config-ACS) #.ACS21 / admin # display the status of the acs application
Role of the ACS: PRIMARY
Process of database ' ' running
'Management' running process
'Runtime' running process
"Adclient" process running
'Ntpd' running process
"View-database" running process
"View-jobmanager' running process
"View-alertmanager' running process
"Notice-collector' running process
"View-logprocessor' running processLooking at the user guide:
"The ACS database must be compressed during the maintenance operation. You can run the command acsview-db-compress acs-config mode to reduce the physical size of the database of view when there is a difference between the physical size and the actual size of the database to view. ACS 5.5 stops only the collector newspaper services during compress the operation and will be operational after the compression operation is complete. You must enable the recovery of the newspaper feature retrieve messages received during the compression of database operation.
In ACS 5.5, database compression operation is automated. You can check the box enable ACS view compress database to compress the ACS database view automatically daily at 05:00 the compression of database operation is executed every day automatically at 05:00 whenever needed. »
I tried to manually compress DB by "acsview-db-compress' with no effect.
Hello
You are running in the CSCum51180bug. The alarm should be a warning, not criticism and should be triggered only when the physical size is greater than the actual size of more than one gigabyte (in your case, the difference is very small, 1.5 vs 1.48).
The fix must be present on a future update.
Javier Henderson
Cisco Systems
-
ACS 5.3 - change device group or location error
I am trying to move a device from the default location to a subgroup and get the following message when I try (be it with IE or Firefox)
This failure has occurred: Index: 0, size: 0. your changes have not been saved. Click OK to return to the list page.
It also gives me the same error if I try to change the default device for a subgroup. I don't know that I could do before. The construction of the ACS is (installing VMWARE):
Deploying applications engine Cisco OS version: 1.2
ADE-OS Build Version: 1.2.0.228
ADE-OS System Architecture: i386Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
HostName: ACS1Version information for the installed applications
---------------------------------------------Cisco ACS VERSION INFORMATION
-----------------------------
Version: 5.3.0.40
The identifier for the internal version: B.839I'm he suspect a problem reading/writing with the database or a corruption of the database. Can someone enlighten me on how to fix it please?
I stopped and started the acs application via the console application status and see the acs has this to say about himself.
ACS1 / admin # display the status of the acs application
Role of the ACS: PRIMARY
Process of database ' ' running
'Management' running process
'Runtime' running process
"View-database" running process
"View-jobmanager' running process
"View-alertmanager' running process
"Notice-collector' running process
"View-logprocessor' running processMel
Does this happen to small number of network devices or the entire
If the former, then I found the following CDETS
CSCtw59271 Corruption of device random network after upgrade of ACS 5.2 to 5.3
Which includes the following workaround solution
Symptom 1: Remove and re-add the AAA client
Symptom 2: changing the secret shared GANYMEDE + of the network device, enter the same key again and save the network device.
> Use when GANYMEDE + has been used
There are a few important fixes related to the upgrade of issues in patch 5 and later versions for ACS 5.3. While they didn't wear on NDs, I recommend not to install this patch
-
Connection Error 1120 ACS cisco acs 5.0 web gui
Hi all
I installed the unit acs 1120 as follows
entered in the installation in console mode command
aiinstalle licensevia gui mode
But when I access the gui mode it disconnect regularly
When I ping ping is successful and shows life 128
but after some time, the connection is estabalished and when I ping the TTL shows 64
can someone help with this problem
Thank you very much
Hello
I couldn't quite follow the description of your problem. Can clarify you the problem more in detail.
You then mention access to the ACS GUI mode it to disconnect regularly. You lose any IP to GBA connectivity, or is the problem only through the user interface?
Please can you include ACS cli:
view the status of the acs application
See the versionShow tech
Would also be relevant to see the output of 'display the acs application state"when the problem occurs.
Additional troubleshooting, the support beam will also relevant information during problem occurrence timestamp. You need to enable the debug logs, for ex:
GBA cli:
admin #conf t
exploitation forest admin (config) # loglevel 7
exit admin (config) #.
# acs admin - config
After a few seconds,.
You can then log in with the credentials of user/password for GUI of the CSA name.acsadmin(config-ACS) # debug level mgmt-acsview of-journal of debugging
acsadmin(config-ACS) # debug level to debug-log duration
output acsadmin(config-ACS) #.Following the appearance of the problem, the support beam then downloadable GUI Monitoring & Report Viewer > troubleshooting > ACS support Bundle.We will need to check on the timestamp of the problem newspapers.
But for now, more details about the problem seem necessary as well as the output display orders of cli ACS mentioned above.
Thank you
Alex
-
First and ACS View Server Integration
Can someone point me in the right direction for a good doc on implement first (1.3) with a display ACS (5.1) Server?
Guy: I was doing a little research on this topic and I just wanted to add that there is not much config, that we have to do on ths ACS.
All you have to have this command on ACS CLI "view of acs config-web-interface to activate".
On the first, we already have information ip and port view ACS server. In addition, include the first with ACS using a privileged account super admin. Default acsadmin has super admin rights, so we can use it on the preferred side or you can create a specific account on GBA and assign the super admin under system administrator rights > directors > accounts > new account.
Once this done, please try to shoot balls of NCS and let me know how it goes.
Jatin kone
-Does the rate of useful messages- -
View ACS ACS inconsistent Timestamp and Timestamp
Just putting online at ACS5.3.
See the table below some other times have no match, all time zones setup correctly in ACS and WLCs and ASAs devices
any ideas?
View ACS Timestamp
Timestamp of the ACS
RADIUS
StatusNAS
FailureDetails
Username
MAC/IP
AddressAccess service
Authentication
MethodNetwork device
The IP address of the NAS
NAS Port ID
CTS
Security groupBody of the CSA
Reason for failure
Sep 10, 12, 7:46:05.326 AM Sep 10, 12, 7:46:05.310 AM
wipbin_client 00-15-70-A8-E1-B9 All RADIUS users EAP-FAST (EAP-MSCHAPv2) DEVWLC01-GANYMEDE + _DEVWLC01 172.16.140.200 CHIACS71 Sep 10, 12, 7:41:21.943 AM Sep 10, 12, 7:41:21.930 AM
wipbin_client 00-15-70-A8-E1-B9 All RADIUS users EAP-FAST (EAP-MSCHAPv2) DEVWLC01-GANYMEDE + _DEVWLC01 172.16.140.200 CHIACS71 Sep 10, 12, 7:38:59.863 AM Sep 10, 12, 7:38:59.843 AM
wipbin_client 00-15-70-a8-E1-B9 All RADIUS users EAP-FAST (EAP-MSCHAPv2) DEVWLC01-GANYMEDE + _DEVWLC01 172.16.140.200 CHIACS71 Sep 10, 12, 7:35:33.410 AM 9:35:48.020 Sep 9.12 PM
chntando 124.189.181.77 All RADIUS users PAP_ASCII CHEPIX1_pix-barrier-fire 172.16.7.239 DRSACS71 Sep 10, 12, 7:34:34.560 AM Sep 10, 12, 7:34:34.536 AM
wipbin_client 00-15-70-A8-E1-B9 All RADIUS users EAP-FAST (EAP-MSCHAPv2) DEVWLC01-GANYMEDE + _DEVWLC01 172.16.140.200 CHIACS71 Sep 10, 12, 7:33:35.106 AM 9:33:49.710 Sep 9.12 PM
chjmcgif 138.217.68.1 All RADIUS users PAP_ASCII CHEPIX1_pix-barrier-fire 172.16.7.239 DRSACS71 Sep 10, 12, 7:32:53.423 AM 9:33:08.013 Sep 9.12 PM
Hello
Time differences seem to come from the DRSACS71 instance, is this server in a different time zone? View ACS timestamp is the time stamp of when the journal has been received for the collector of the surveillance, the timestamp of the ACS is the time that the event took place. You can issue a clock to show on both boxes to see if the minutes are the same?
Thank you
Tarik Admani
* Please note the useful messages *. -
Windows domain account to view reports / manage the ACS server.
All,
We have a Cisco ACS 5.2 deployment (device). It has existing integration with Active Directory. We use it with RADIUS to authenticate our users wireless and GANYMEDE to manage our network equipment.
RAY reports are useful for other teams (except my own) in order to resolve account lockouts and password (everyone forgets to change the password on his phone).
I would like to allow this team and other access to the report of RADIUS authentications.
I want them to be able to use their domain account to do this.<------- this="" is="" mandatory,="" based="" on="" our="" security="">
We tried using an account local and which works very well.
My system tells me that domain accounts cannot access the administrative parts of ACS.
Is this true?
We have the support to allow us to upgrade to the latest version of the ACS.
5.4 of the ACS, it is possible to authenticate and authorize the directors of external stores, including AD accounts
-
ACS 5.4 ASA 8.2.5 disable AAA for the particular user
Hello!
I want to disable journaling Ganymede + for the particular user. This user is used only for automated (python script) pooling of vpn tunnel ASA (limited command set - permission on ACS) group to verify the number of users authenticated via VPN. The problem is that this user generate a bunch of logs according to authentication authorization and accounting on ACS. Is there a solution, disable Ganymede + newspapers on ACS for this particular user? Maybe it is possible to modify the AAA on ASA to not connect this particular user?
Thanks in advance.
Hi Pawel,
You can create filters collection for that specific user. When you configure monitoring filters & Report Viewer does not record these events in the database.
Navigate to: Configuration of the analysis > System Configuration > filters Collection > add a filter
What follows is the attributes that can be used. You must use the user.
-Access service
-User
-Mac-add
-Nas - IP
Example: We get several hits of ASA by 'user' and we want ACS to ignore it. Create a filter by using the user. ACS must now ignore any attempt from the IP Address of the NAS.
Jatin kone
-Does the rate of useful messages- -
ACS server installation issues
I have a client of the remote site that is replacing their ACS servers and several questions:
(1) what version we should be installed?
(2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)
(3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?
(4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?
(5) how to use GSK signed cert? Have previously tried & failed - something special here?
Thanks for any help you can give.
RO
I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
1) What version should we be installing?
2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have to apply successive patches?)
3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
Thanks for any help you can give.
RO
Hi Richard,
For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.
For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.
For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.
So useful note valauable post.
Concerning
Ganesh.H
-
Is it possible to get the admin of WCS users authenticated on GBA? I was not able to make it work and I found a page of FAQ http://www.cisco.com/en/US/products/ps6305/products_qanda_item09186a00807a60f0.shtml#apr6
say it is not supported. Is this correct? As I was not able to get the WCS to authenticate to the ACS. I don't get passed or failed attempts. The ACS is currently authenticate other users / devices and the GBA and WCS can both communicate with each other.
You can integrate the WCS and ACS for local users of WCS.
Add WCS to an ACS server:
http://www.Cisco.com/en/us/docs/wireless/WCS/5.2/configuration/guide/5_2admin.html#wpmkr1064286
Configuration of the server credentials ACS View:
http://www.Cisco.com/en/us/docs/wireless/WCS/5.2/configuration/guide/5_2mon.html#wpmkr1171779
Configuration of RADIUS servers:
http://www.Cisco.com/en/us/docs/wireless/WCS/5.2/configuration/guide/5_2admin.html#wpmkr1054014
GANYMEDE server configuration:
http://www.Cisco.com/en/us/docs/wireless/WCS/5.2/configuration/guide/5_2admin.html#wpmkr1053935
Import tasks in ACS:
http://www.Cisco.com/en/us/docs/wireless/WCS/5.2/configuration/guide/5_2admin.html#wpmkr1064285
-
What is the recommended size of repository to store saves the backups of ACS SNS-3415-K9, v5.4
Hello guys, we need your advice :),
do you know what is the recommended size of repository to store backups of logs of ACS SNS-3415-K9 (v5.4.0.46.0a software)?
We intend to create an FTP server to record a monthly full backup and an incremental backup daily.
We would like to consider the worst case in which ACS View Database is complete and a full backup is required and daily incremental backups.
In the second period, we would appreciate really any advice on how to maintain, say, only the last 2 full backups and all the related incremental backups in the FTP server, is there a way to automate the removal of the oldest backup when a new backup is generated?
Thanks in advance!
Hi Rodrigo,
Honestly, there is not a suggested size of space available to FTP/SFTP server used as the size of your backups of data base of progressive and complete view depend on 100% of the amount of newspapers ACS server receives every day, so what I would suggest to take a look at a couple of incremental for 2 consecutive days and would help you to determine what would be the amount that you need for a period of 30 days (one month).
And associated with your concern if the ACS would supports the option to manually maintain the last 2 full backups view, unfortunately, it is not available as an option.
-
The server is running Windows 2003 SP2 and due to a problem it has restarted. After you restart all services stopped working.
CSAdmin, CSMon, and CSRadius hanging in State and case of departure in shutdown state. When I program the startuptype manual and began these services
I got "failed to start the CSAdmin service on Local computer. Error 1053, that service has not responded to the application launch or control in a timely. "
For the service case, it gives the error message "the service of cases on Local computer started and then stopped. Some service automatically stop if they
"no work to do, for example, the service logs and alerts.
In the eventviewer it shows "the description for the event (1) in Source (CiscoAAA) ID is not found. The local computer may not have the information necessary registry or message DLL files to display messages from a remote computer. You may be able to use the option/auxsource = flag to retrieve this description; For more information, see Help and Support. The following information is part of the event: CSAdmin, cannot initialize SchemeLayer, 74. »
While the automatic startup type event viewer displays error below.
"The description for the event (1) in Source (acs) ID is not found. The local computer may not have the information necessary registry or message DLL files to display messages from a remote computer. You may be able to use the option/auxsource = flag to retrieve this description; For more information, see Help and Support. The following information is part of the event: * ERROR * failed Assertion: 103401 (9.0.0.1271)
Could not open the file (C:\Program Files\CiscoSecure ACS v4.2\CSDB\acs.db) who previously opened successfully; error = 32. the description for the event (1) in Source (acs) ID was not found. The local computer may not have the information necessary registry or message DLL files to display messages from a remote computer. You may be able to use the option/auxsource = flag to retrieve this description; For more information, see Help and Support. The following information is part of the event: * ERROR * failed Assertion: 103401 (9.0.0.1271)
Could not open the file (C:\Program Files\CiscoSecure ACS v4.2\CSDB\acs.db) who previously opened successfully; error = 32. »Please help me solve this problem.
Thank you
Since we had no access to the ACS server. We tried to take backup of csutil but there was the schemalayer error message. As we stopped AV, logs files removed from the directory, killed services stuck from the Task Manager and restarting the server. If it's still not allowing you to restart services, most likely you need to take backup, uninstall the ACS server and reinstall the same version of ACS, followed by restore.
~ BR
Jatin kone* Does the rate of useful messages *.
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
ACS 5.6.0.22.2 upgrade. CAN´t add an application to the dashboard
Hello
I ve ACS updated Version 5.6.0.22.2. Now i´cant add an application like ONLINE AUTHENTICATION to the dashboard. I always get an error message.
'Setup the page is temporarily unavailable.
The same phenomenon occurs after the installation of a new comprehensive EC in VMWARE. Tried with FIREFOX, IE and GOOGLE CROME
Best regards Horst
Add a dashboard application view ACS 5.x error
Maybe you are looking for
-
What info Skype collects on our PC/laptop?
What info Skype collects on our PC/laptop? I mean a technique.I am particularly interested if he gets the serial number of our laptop that we used to connect.
-
How to enable a connection to SQL Denali remotely?
How to enable a connection to SQL Denali remotely?
-
product # NQ202PA: help! I forgot my bios password on mini 1000
He had originally windows XP. It had a password on the bios, even then, I installed a windows 7 pro 32-bit. Now, completely forgot the password of the bios. Any way to reset the password does not erase windows 7? Tried to remove the CMOS battery it l
-
whenever I try to save an image on the internet file I get an error message saying 'cannot create the file because of the c:\windows\system32\mshtml.hlp' not being installed and I have to reinstall it. but I couldn't find it on the site of pe windows
-
Fractional amounts with spreadsheet works8
For a total of for example = sum(A1:E1). If the total is a fraction, it rounds up to the next higher number. How can I display the total fractional correct?