ACS alarm 5.4 Notification Question

Any time, I connect to the ACS with my Active Directory user ID to manage or view reports get us immediately the next alarm.  I could dig but must be dominant, which is the cause.  Any suggestions?

This is a known issue and has been fixed in 5.4 ACS patch 3 and later versions.

CSCue33753    Seen on dashboard too long error value

Symptom:

The following error message appears when you view the scoreboard 5 ACS:

Too long value (hosrv66, AdminAdvancedAccess)

Please see Collector log for more details

Conditions:

This problem affects ACS 5.4 when using Windows AD as the external database.

Workaround solution:

The error appears when the number of characters in the Windows AD groups list exceeds 1024 bytes and is cosmetic in nature, because only the display of the report is affected. The real corresponding to AD group within policies take into account the more complete list.

More information:

~ BR
Jatin kone

* Does the rate of useful messages *.

Tags: Cisco Security

Similar Questions

  • Smart talkband is not an alarm sound for notifications and calls

    Dear friends
    I have talkband2 of sony which I use with huawei mate7 phone. All options are ok but don't have audio for notifications and calls and have only vibrator.so I want to know what is happen when I press the volume keys?

    Yes, I have and never had audio notifications unless you put it to load or you get a prize for having reached the steps or calories (first band should be on the volume).

  • Notifications: Question of consequences

    I have an application that registers itself with the system of notifications of the BB so appear in the profile. I also do raise by simply calling triggerimmediateevent. These two are easy. It seems that the LED remains lit but even after the user dismisses the notification. I guess I have to do this a registerer consequence, make an object accordingly and set the stopNotification method to disable the led. Needs to be done? I have exceeded the sample application notification but cannot understand. Looks like they are a new event every time and a new result object each time. And then all sync and byte it. Seems too complicated for my simple needs. Is there a simple way to have only one notification that I use to call the stopNotification method when the notification is canceled by the user?

    I use static references to the notifications.
    I use fire() to trigger one and cancel() for Cancel.

  • Join the ACS 5.4 AD strange question

    Hello

    We have two ACS boxes with the same version of software (5.4.0.46.0a), we have been able to join the domain a that only ACS and other ACS are given the error attached.

    When we checked "main-acs-01 / admin # acs troubleshooting adcheck , he gave the same error for the two candidate countries, however an ACS successfully joined the domain and still others we failed."

    principal-acs-01 / admin # acs troubleshooting adcheck<>

    This command is only for advanced troubleshooting and could suffer a lot of network traffic

    Do you want to continue?  (yes/no) Yes

    OSCHK: Check that it is operating system: pass

    PATCH: Patch Linux check: pass

    PERL: Check that perl is present and is a good version: pass

    SAMBA: Inspection of the installation of Samba: pass

    SPACECHK: Check if there is enough space in/var/usr/tmp: pass

    HOSTNAME: Check the hostname parameter: pass

    NSHOSTS: Check the hosts line in /etc/nsswitch.conf: pass

    DNSPROBE: Probe Server DNS 172.24.1.1: pass

    DNSPROBE: Probe Server DNS 172.24.1.2: pass

    DNSCHECK: Analyze the health of DNS servers database: pass

    WHATSSH: Is it a SSH DirectControl works perfectly with: pass

    SSH: SSHD version and configuration: Note

    : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

    DOMNAME: Check that the domain name is reasonable: pass

    ADDC: Search for domain controllers in the DNS: pass

    ADDNS: Search DNS DC xxxx.                      : Pass

    ADPORT: Scan of Port DC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    ADPORT: Scan of Port DC xxxx.                      : Pass

    ADDNS: Search DNS DC xxxx.                      : Failed

    : Could not resolve the IP address of xxxx.hmc.org.qa.

    ADDNS: Search DNS DC xxxx.                      : Pass

    ADPORT: Scan of Port DC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                   : Pass

    ADPORT: Scan of Port DC xxxx.                    : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    ADPORT: Scan of Port DC xxxx.                      : Warning

    : One or several ports did not respond correctly. Either:

    (: a) the domain controller is offline

    (: b) a firewall prevents access to a port

    : The following is a list of ports has failed:

    : ldap 389/udp - timeout

    : 445/tcp smb - denied

    : ldap 389/tcp - denied

    ADDNS: Search DNS DC xxxx.                        : Pass

    ADPORT: Scan of Port DC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                        : Pass

    ADPORT: Scan of Port DC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                           : Pass

    ADPORT: Scan of Port DC xxxx.                            : Pass

    ADDNS: Search DNS DC xxxx.                    : Pass

    ADPORT: Scan of Port DC xxxx.                     : Pass

    ADDNS: Search DNS DC xxxx.                      : Pass

    GCPORT: Port scan of GC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    GCPORT: Port scan of GC xxxx.                      : Pass

    ADDNS: Search DNS DC xxxx.                      : Failed

    : Could not resolve the IP address of airportdc1. .

    ADDNS: Search DNS DC xxxx.                      : Pass

    GCPORT: Port scan of GC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                   : Pass

    GCPORT: Port scan of GC xxxx.                    : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    GCPORT: Port scan of GC xxxx. : WARNING

    : One or several ports did not respond correctly. Either:

    (: a) the GC is offline now

    (: b) a firewall prevents access to a port

    : The following is a list of ports has failed:

    : gc 3268/tcp - denied

    ADDNS: Search DNS DC xxxx.                        : Pass

    GCPORT: Port scan of GC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                        : Pass

    GCPORT: Port scan of GC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                           : Pass

    GCPORT: Scan of Port GC xxxx : pass

    ADDNS: Search DNS DC xxxx.                    : Pass

    GCPORT: Port scan of GC xxxx.                     : Pass

    ADGC: Check Global catalog servers: spend

    DCUP: Search for operational controllers : pass

    SITEUP: Check DCs for in our site: go

    DNSSYM: Check the symmetry of DNS server: pass

    ADSITE: Verify that the subnet of this machine is in a site known as AD: pass

    GSITE: See if we think it is the correct site: pass

    TIME: Synchronization of clocks Check: pass

    2 serious issues have been encountered during the audit. These must be fixed before proceeding

    2 warnings were encountered during the audit. We recommend that you check these before proceeding

    principal-acs-01 / admin #.

    The one facing this problem before and grateful if someone can tell how to solve this problem.

    It is a known issue with ACS 5.3 However, we had this problem in ACS 5.3 patch 7 and 5.4 of the ACS

    Since you're under 5.4 ACS, it should not trigger.

    CSCtx53223    After update 5.3 ACS fail to join the domain AD - lack of license Centrify

    Symptom:

    After the upgrade from 5.2 to 5.3, ACS is unable to join the domain. AD connection worked for several days, until the services have been restarted. After this, ACS is unable to join AD with the following in ACSADAgent.log error message:

    Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin Join to area is permitted only with a licensed copy of DirectControl. Obtain a license or learn more about Centrify following http://www.centrify.com/express

    Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin without a permit, you can connect to a domain via Auto Zone by specifying Bordes w Test.Test

    Conditions:

    Move from 5.2 to 5.3. Restart the services thereafter.

    Workaround solution:

    Save the ACS db and recreate the picture on the box to 5.3

    How upgrade to 5.4 ACS

    1.] updated to 5.3 to 5.4 using the upgrade package.

    2.] reianged with ACS 5.4 ISO and restored the database ACS 5.3.

    I suggest you to prosecute on this TAC. [Most likely you must reimage the server and restore the database if you had crossed with option 1.]

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Email Notifications question

    Hello

    I have recently subscribed to an account on communities.vmware.com.   After that, I changed my preferences for notification by email and only 'automatically receive notifications for all discussions, I create' to 'yes '.   I wrote also a matter of discussion in the community of vmware workstation that has not generated any response.

    Currently, I get lots of emails on unrelated discussions that I have not answered or Insider.   I see currently more than 20-40 emails a day, which is becoming extremely annoying.

    Can someone help me stop the emails being sent on I did not participate in discussions?

    Thank you

    Karl0272

    It seems that you have registered to receive notifications for a community, such as vSphere or merger or such. Then whenever someone post in the community, you will get an email with their message.

    Here is where you can manage your subscriptions by e-mail. Mouse over your name and click on "Profile" in the drop-down list.

    On the resulting page, click on "manage notifications by e-mail.

    Now you can remove all unwanted subscriptions. If you just want to see them for a particular type of subscription, such as the subscriptions of the community or subscriptions to specific users, you can use the drop-down menu 'Filter' to select what you had as shown.

    Let me know if this can help,

    Alex

  • alarm e-mail notification does not

    According to http://kb.vmware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 1004070:

    The ability to send mail can be limited

    that the anonymous e-mail is not allowed or specific user accounts

    are required to send an email. If this is the case, that a rule must be created

    to allow the server to VirtualCenter email, because it is

    currently no way to configure authentication SMTP with VirtualCenter.

    1. is there an informal way to configure vCenter to send an email with authentication through the service console?

    2. is there a way to configure Zimbra to allow vCenter send emails without having to authenticate?

    ' 2. is there a way to configure Zimbra to allow vCenter send emails without having to authenticate?

    This can help:

    http://wiki.Zimbra.com/wiki/ZimbraMtaMyNetworks

    Rich

  • Failure alarm [Collector] store ACS5.1 (DCACSBGLR, TacacsAccounting)

    Hello

    Recently I sent ACS5.1 to a Subscriber. We often receive the following alarm in the Inbox.

    Cisco Secure ACS - Alarm Notification
    Severity: critical

    Name system alarm [Collector]
    Failed to trigger/cause store (DCACSGKOL, TacacsAccounting)
    Alarm details please see newspaper Collector for more details

    Generated on Fri August 13-14:25:59 UTC 2010

    Please suggest the solution in order to understand and to get rid of this alarm. Thank you...

    Been checking autour and found more CDETS which seems to be related:

    CSCte88357: ACS5.1 RADIUS Accounting Report is missing some attributes because of char NULL

    This problem will certainly cause and failure store alarm although I can't confirm this is the same case.

    If that's the question a fix is available in the hotfix rollup 5.1.0.44.3 available for download on ORC

  • The physical size of ACS db is more than 50% of its actual size. (ACS version: 5.5.0.46)

    Since the Migration to ACS 5.5.0.46 we continue to see the following message appears in the Inbox of alarm

    Cisco Secure ACS alarm (REVIEW): the physical size of ACS db is more than 50% of its actual size.

    Cisco Secure ACS - Alarm Notification

    Severity: critical

    		  

    Name of the alarm

    System alarm [purge the database]

    Cause/trigger

    The physical size of ACS db is more than 50% of its actual size.

    Alarm details

    The physical size of ACS db is more than 50% of its actual size de.the size will be reduced after the purge ACS transaction log and compress ACS db.

    September

    Mon Mar 17 05:00:06 THIS 2014

    ACS view Compression and backup database is set up and runs without error:

    The work of backup stores a maximum of 4 months to a FTP server.

    Backup: monthly

    Incremental: weekly

    DB: Compression enabled

    Purge and incremental backup history   
    Name Start Time End Time Status
    DatabasePurge-Job Mon Mar 17 04:00 THIS 2014 Mon Mar 17 04:00 THIS 2014 Completed

    as far as I can see the CLI avoid a DB oversized:

    ACS21/acsadmin(config-ACS) # acsview show-dbsize
    Actual size of DB (bytes): 1585192960
    Real DB size (GBs): 1.48
    DB size (bytes): 1605386240
    Physical size DB (GBs): 1.5
    Physical ACSviewlog file size (GBs): 0
    Output ACS21/acsadmin(config-ACS) #.

    ACS21 / admin # display the status of the acs application

    Role of the ACS: PRIMARY

    Process of database ' ' running
    'Management' running process
    'Runtime' running process
    "Adclient" process running
    'Ntpd' running process
    "View-database" running process
    "View-jobmanager' running process
    "View-alertmanager' running process
    "Notice-collector' running process
    "View-logprocessor' running process

    Looking at the user guide:

    http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#wp1065174

    "The ACS database must be compressed during the maintenance operation. You can run the command acsview-db-compress acs-config mode to reduce the physical size of the database of view when there is a difference between the physical size and the actual size of the database to view. ACS 5.5 stops only the collector newspaper services during compress the operation and will be operational after the compression operation is complete. You must enable the recovery of the newspaper feature retrieve messages received during the compression of database operation.

    In ACS 5.5, database compression operation is automated. You can check the box enable ACS view compress database to compress the ACS database view automatically daily at 05:00 the compression of database operation is executed every day automatically at 05:00 whenever needed. »

    I tried to manually compress DB by "acsview-db-compress' with no effect.

    Hello

    You are running in the CSCum51180bug. The alarm should be a warning, not criticism and should be triggered only when the physical size is greater than the actual size of more than one gigabyte (in your case, the difference is very small, 1.5 vs 1.48).

    The fix must be present on a future update.

    Javier Henderson

    Cisco Systems

  • VeriStand alarms

    I set an alarm to travel on Estop system. I look at the bit for the lack of a camera and trigger a process when she is off limits. The problem is that the alarm message is not always pop up. the action is triggered another channel seem to work. Is this a known problem or I am doing something wrong here? Where can I get detailed information about the configuration of alarms?

    JY

    Is sometimes dialog box pop up, and sometimes it doesn't?

    If so, this might have to do with the speed at which your triggered procedure resets the alarm. The workspace queries some channels 5 Hz system to see if the alarms are active. If so, it looks the ID alarm stored in the appropriate system channel and displays a dialog for this alarm.

    The question that could happen is if your alarm and then reset in a time window of 200ms. In this case the workspace can read the untriggered State, wait 200ms and then read state untriggered once again, having missed the trip the alarm.

    One thing to try would be to modify your procedure and add a step of Dwell (0.3) before resetting the alarm. It is much more likely to give the workspace a large enough time window to recognize the alarm was triggered and display the dialog box.

  • ACS server installation issues

    I have a client of the remote site that is replacing their ACS servers and several questions:

    (1) what version we should be installed?

    (2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)

    (3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?

    (4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?

    (5) how to use GSK signed cert? Have previously tried & failed - something special here?

    Thanks for any help you can give.

    RO

    

    I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
    

    1) What version should we be installing?
    

    2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have   to apply successive patches?)
    

    3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
    

    4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
    

    5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
    

    Thanks for any help you can give.
    

    RO

    Hi Richard,

    For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.

    For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.

    For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.

    So useful note valauable post.

    Concerning

    Ganesh.H

  • WLC with ACS 5.1 (RADIUS) for management * AND * Network users

    Hello

    I have authentication RADIUS of installation for the users of the network AND management on my NM - WLC (5.2 ongoing execution) against ACS 5.1

    My Question is:-

    For users to log in to Admin, I need to come back "Service-Type = Administrative - User" in order to make it work.

    Because the ACS sees all applications from the same device (WLC) for Admin and network users,

    the way I am currently treats it is by creating a filter based on the user name

    Thus, users that contain 'admin' in their ID, use a set of

    Network access policy authorization, who has an authorization associated with the attributes RADIUS profile.

    Normal users have a ' network access policy authorization different rule ", with a different profile.

    While this DOES WORK fine, still me I was wondering if there is a better way to do it, rather than create a rule

    based on the user name.

    I could use GANYMEDE + for the management, but I don't think that ACS allows the same client AAA (WLC) to use both protocols.

    Thank you

    I think it's something very common for things to do

    You may notice that ACS 5 comes preinstalled with a selection policy of service that differentiates them the Protocol-based queries and orders or service 'Access to the network by default' or "Default Device Admin" out of the box

    If you want only to RAY can either disable or delete the rule for applications of GANYMEDE + or not choose GANYMEDE + in the definitions of the unit

  • create an alarm to be notified when oracle db is shutdown

    Hello

    on 5.5.4, we control an oracle database. How cofigure a notification so that to be notified when oracle db is shutdown?

    In help, I saw this:

    Foglight for Oracle configuration alarms for Email Notification

    To configure Foglight for Oracle email notification:

    1

    Select dashboards > Administration > rules & Notifications > manage registry Variables.

    2

    In the filter by the Variable name field, enter the string dbo-email to only display the email related variable notifications.

    But do not know how to change them to receive an email when oracle db is stopped.

    A tutorial that shows with an example?

    in the Configuration Guide and Administration Foglight 5.5.4 I do not see any chapter to this topic.

    Thank you.

    Guy,

    You start by specifying a mail server in Foglight.

    Under the houses > welcome edge > configure alarms reporting and power outages

    and then configure e-mail settings

    Configure the mail server

    then set the DB admin user

    Golan

  • Restriction of VPN AnyConnect Source (Caller-ID)

    Hi all

    I was wondering if it is possible on the Association or ASA to restrict access to a political group according to IP address, they come? For example, if I wanted to home users to connect to the external interface of the firewall to authenticate with a token, but if they are in the Office to connect to the internal interface and just use LDAP. The two work these options but this does not prevent someone from home to authenticate off the coast of LDAP of the House. I know that Ray has the Caller-ID field that has the IP address of the authentication device. I was wondering if it is possible to use this information on the ASA or ACS to add the control, I need. Any ideas?

    Kind regards

    Mike

    Hi Michael,

    you have several options:

    -l'ASA indeed sends 2 attributes to a Radius server that contains the ip address of the client. It's 'debug RADIUS' when I connect from a client with the ip 192.168.0.98:

    RADIUS: Type = 31 (0x1F) Calling-Station-Id
    RADIUS: Length = 14 (0x0E)
    RADIUS: Value (String) =
    31 39 32 2e 31 36 38 30 2 2 39 38 |  192.168.0.98
    ...

    RADIUS: Type = 66 Tunnel-Client-Endpoint (0x42)
    RADIUS: Length = 14 (0x0E)
    RADIUS: Value (String) =
    31 39 32 2e 31 36 38 30 2 2 39 38 |  192.168.0.98

    Now if you configure ACS to generate a different response based on the value of Calling-Station-Id or Tunnel-Client-Endpoint, I don't know (I mean I'm sure you can, but it's been a while since I have anything fancy on ACS) you can ask this question in the forum of AAA.

    -If you want ASA to make the decision, you can do this with CSD (Cisco Secure Desktop - requires a license). CSD to create policies based on the features of endpoint (client) as the version of the antivirus installed, but also the ip address of the client. You may need to use in combination with DAP (dynamic access policy) to allow/deny access to a certain group, based on criteria of CSD endpoint.

    - but for the scenario specific you describe, you might be able to solve this problem by simply specifying interface in the Group of authentication servers.

    That is, if you currently have

    attributes global-tunnel-group-of-inside
    authentication-server-group MyLDAP

    can change this:

    attributes global-tunnel-group-of-inside
    authentication-server-group (inside) MyLDAP

    This will cause LDAP to be used only for connections from the inside. Other connections will use the LOCAL (so anyone with an account on the SAA will be always able to connect outside this group - in order to avoid that you can create a new aaa server group with a non-existent server and use it for external authentication).

    Or maybe merge with your existing 2 groups into a single,

    tunnel-group of no matter where-global attributes
    authentication-server-group (inside) MyLDAP

    authentication-server-group (outside MyTokenServer)

    HTH

    Herbert

  • Alarm Notification Cisco ACS 5.8.1

    Hello

    Does anyone know which means that notification of alarm below?

    Active Directory is always adhered, but one of the forest of the pub was unavailable yesterday. I tried to show the logging, but no newspaper shows the issue.

    Appreciate for your answers.

    Thank you.

    Arie

    Hi Arie,

    Ad Server means just DC?

    Discovery of field will identify the DC (secondary, primary etc.), after their response. ACS will use Doiman discovery to find the answer from the DC, that DC reacts quickly, he will use it.

    ACS will automatically change the DC (secondary, primary etc.), after their response.

    If primary DC responds slow compare to secondary domain, then ACS controller automatically use secondary DC.

    Thank you

    Catherine

    Please evaluate the useful messages and mark the correct answers.

  • Can you do email notifications operate more like alarms?

    My company has a field technicians who are all equipped with iPhone to run iOS 9.2.1 ongoing 5Cs. My company has a round the clock alarm system and the system is capable of sending these messages as emails. Our network operation Center made away with 24/7 operation inhabited, so these alarms will have to go directly to the technicians at home on their phones. These notifications by e-mail must be strong and quite proud wake up our technicians in the field at any time of the night.

    My question is: is it possible that you can make the ring as an alarm email notifications, you have to disregard/recognize, as a wake-up function?

    I was shared around with the VIP alert settings in the Mail application, but it seems to me that you can configure such a function, at least not while the phone is locked.

    Y at - it a separate app that I can download that will help me with this feature? Is there anyway that I can do it in the settings of the iPhone? Any information you give me will be appreciated.

    Thank you!

    --J

    There is no such feature of the Mail of iOS app and no add-on 3rd party app.  You can suggest it to Apple: Apple - iPhone - Feedback

Maybe you are looking for