ACS replication problem

I have two ACS with replication configured. Manual replication works fine, but when setting up scheduled replication, server said "preliminary checks indicate a unnecessary outgoing replication - completed cycle. Even if the new features have been added to the main server, replication is irrelevant.

Any thoughts?

Please check this bug,

CSCsd02854 : automatic replication has not triggered after changing the config

components

Symptom: When it is configured for automatic replication, only the changes to the users/groups/SPC are replicated automatically. Changes to the configuration of NAS, Admin, PAN, external databases

components do not replication trigger.

Conditions: This is seen when the automatic replication (intermittently or at a specific time) is configured.

Solution: Start the replication manually after configuration changes for the affected

components have been made.

http://Tools.Cisco.com/support/BugToolKit/action.do?hdnAction=searchBugs

Please make sure that the secondary ACS server, we have all the replicated network devices

from the primary ACS server successfully. If they are not, and we have configured replication scheduled to take place, then we are hitting this bug.

Kind regards

~ JG

Note the useful messages

Tags: Cisco Security

Similar Questions

  • ACS 3.2 (2) Build 5 replication problem

    Hi all

    There are two ACS servers, sits inside an ASA 5510 at Headquarters and the other is inside an ASA 5510 on the hot site.

    These 5510 s ASA have been developed to replace two 515Es PIX and the claim is that since the ASAs went replication has stopped working. Of course, it makes no sense to me because there is communication between the ACS server and the firewall is down not anything whenever "replicate now" is issued.

    Unfortunately, I dunno much about ACS then is there something I can look for to help troubelshoot it ACS newspapers say

    WARNING cannot replicate to '4' Server - server does not

    That doesn't help us much, this is a way to get more detailed info journal which could indicate a problem? Thank you.

    Hello

    ACS uses the port TCP/2000 for replication. This port is also used by the skinny Protocol, making the port used by the ACS replication process.

    Fails replication of the ACS from the primary to the secondary, primary school reported that he cannot contact the secondary, and secondary shows any replication of the primary activity.

    A firewall between the two servers, ACS is configured to inspect the skinny Protocol, which uses the same port (TCP/2000) that the ACS replication process.

    If you do not have a call manager behind your firewall, please disable

    Skinny inspect if it is enabled.

    #Under overall policy, take the skinny inspection out of the inspection_default #class.

    don't inspect skinny

    You need to do this on both sides.

    HTH

    JK

    Please evaluate the useful messages-

  • The ACS replication ports

    Hello all, I have two ACS 3.3 and I try to replicate but it does not work. The topology is something like this:

    ACS1<->PIX525<->RouterTelmex - Internet - RouterTelmex<->ASA5540<->ACS2

    I test a lot of things, and I guess that the problem is in ASA5540. So the question is: is anyone know which ports need to be opened in ASA5540 to allow replication? I know there must be opening of port 2000, but I think there must be some ports more.

    Thank you very much.

    Gabriel

    Hello Gabriel,

    I know, you only need port 2000 to open for replication of the ACS.

    BTW, did you skinny inspection enabled on the ASA. The ACS replication is running on port 2000 who also happens be the same port as the Skinny Protocol. Make sure that he lean on the two firewall inspection is disabled and see if you can get the replication.

    no correction protocol 2000 skinny

    I hope it helps.

    Kind regards

    Arul

    * Please note all useful messages *.

  • Upgrade of Windows 2003 to 2012 r2 DC replication problem

    Hello

    I added R2 2012 Windows server to windows 2003 sp2 (primary DC) DC and promotes as DC. After the promotion, I run dcdiag and it shows errors.

    Each of the servers have three NICs connected to different networks.

    Please help me with your expertise since I have to raise this Monday.

    Thank you

    Kind regards

    Charaf-eddine

    Here the dcdiag output new DC

    Directory Server diagnosis

    Perform the initial configuration:

    Trying to find the server at home...

    Home Server = CADPDC1

    * Identified AD forest.
    Made the initial collection of information.

    Make the required initial tests

    Test server: Default-First-Site-Name\CADPDC1

    Commencement of the trial: connectivity

    CADPDC1.engineer.com host name resolution error by

    IPv6 stack.

    WARNING: could not confirm the identity of this server in the

    Directory and names returned by DNS servers. Host name

    fixed error 0x2af9 "host is known."

    ......................... CADPDC1 passed test connectivity

    Primary testing

    Test server: Default-First-Site-Name\CADPDC1

    Commencement of the trial: advertising

    WARNING: DsGetDcName returned information for

    \\cadpdc. Engineer.com, when we tried to reach CADPDC1.

    SERVER IS NO ANSWER or IS NOT considered AS APPROPRIATE.

    ......................... CADPDC1 was not able to test advertising

    Beginning of the test: FrsEvent

    There are warning or error events in the last 24 hours after the

    SYSVOL is shared.  Don't not SYSVOL replication problems can cause

    The Group of political problems.
    ......................... CADPDC1 test FrsEvent

    Commencement of the trial: DFSREvent

    ......................... CADPDC1 test DFSREvent

    Commencement of the trial: SysVolCheck

    ......................... CADPDC1 test SysVolCheck

    Beginning of the test: KccEvent

    ......................... CADPDC1 test KccEvent

    Beginning of the test: KnowsOfRoleHolders

    [CADPDC] DsBindWithSpnEx() failed with the error-2146893022,

    The name main target is incorrect...
    ATTENTION: CADPDC is the owner of the schema, but does not meet the DS RPC

    Bind.

    [CADPDC] LDAP bind failed with error 8341,

    A directory service error has occurred...
    ATTENTION: CADPDC is the owner of the schema, but does not respond to LDAP

    Bind.

    ATTENTION: CADPDC is the owner of the domain, but does not meet the DS RPC

    Bind.

    ATTENTION: CADPDC is the owner of the domain, but does not respond to LDAP

    Bind.

    ATTENTION: CADPDC is the owner of PDC, but does not meet the DS RPC

    Bind.

    ATTENTION: CADPDC is the owner of PDC, but does not respond to the LDAP bind.

    ATTENTION: CADPDC is the owner of RID, but does not meet the DS RPC

    Bind.

    ATTENTION: CADPDC is the owner of RID, but does not respond to the LDAP bind.

    ATTENTION: CADPDC is the owner of Infrastructure Update, but is not

    meet DS RPC Bind.

    ATTENTION: CADPDC is the owner of Infrastructure Update, but is not

    respond to LDAP Bind.

    ......................... CADPDC1 failed test KnowsOfRoleHolders

    Beginning of the test: MachineAccount

    ......................... CADPDC1 test MachineAccount

    Beginning of the test: NCSecDesc

    ......................... CADPDC1 passed test NCSecDesc

    Beginning of the test: NetLogons

    Cannot connect in the NETLOGON share. (\\CADPDC1\netlogon)

    [CADPDC1] An net use or LsaPolicy operation failed with error 67.

    The network name was not found...

    ......................... CADPDC1 failed test NetLogons

    Commencement of the trial: ObjectsReplicated

    ......................... CADPDC1 test ObjectsReplicated

    From test: Replications

    [Check the replications, CADPDC1] A recent replication attempt failed:

    From CADPDC to CADPDC1

    Naming context: DC = ForestDnsZones, DC = engineering, DC = com

    The replication generated an error (-2146893022):

    The name main target is invalid.

    The failure occurred at 2014-06-27 17:05:59.

    The last success occurred at 2014-06-27 17:01:21.

    1 failures have occurred since the last success.

    [Check the replications, CADPDC1] A recent replication attempt failed:

    From CADPDC to CADPDC1

    Naming context: DC = DomainDnsZones, DC = engineering, DC = com

    The replication generated an error (-2146893022):

    The name main target is invalid.

    The failure occurred at 2014-06-27 17:05:59.

    The last success occurred at 2014-06-27 17:01:21.

    1 failures have occurred since the last success.

    [Check the replications, CADPDC1] A recent replication attempt failed:

    From CADPDC to CADPDC1

    Naming context: CN = Schema, CN = Configuration, DC = engineering, DC = com

    The replication generated an error (1727):

    The remote procedure call failed and did not execute.

    The failure occurred at 2014-06-27 17:05:59.

    The last success occurred at 2014-06-27 17:01:06.

    1 failures have occurred since the last success.

    [Check the replications, CADPDC1] A recent replication attempt failed:

    From CADPDC to CADPDC1

    Naming context: CN = Configuration, DC = engineering, DC = com

    The replication generated an error (-2146893022):

    The name main target is invalid.

    The failure occurred at 2014-06-27 17:05:59.

    The last success occurred at 2014-06-27 17:01:07.

    1 failures have occurred since the last success.

    [Check the replications, CADPDC1] A recent replication attempt failed:

    From CADPDC to CADPDC1

    Naming context: DC = engineering, DC = com

    The replication generated an error (-2146893022):

    The name main target is invalid.

    The failure occurred at 2014-06-27 17:05:59.

    The last success occurred at 2014-06-27 17:01:21.

    1 failures have occurred since the last success.

    ......................... CADPDC1 failure test replications

    Beginning of the test: RidManager

    ......................... CADPDC1 failed test RidManager

    Commencement of the trial: Services

    ......................... CADPDC1 test passed Services

    Beginning of the test: SystemLog

    A warning event occurred.  Event ID: 0x000727A5

    Generated time: 27/06/2014-17:01:38

    The event string:

    The WinRM service is not listening to the WS-Management requests.

    A warning event occurred.  Event ID: 0 x 80050004

    Generated time: 27/06/2014-17:05:03

    The event string:

    HP 1 GB 2 332T adapter ports Ethernet: the network link is down.  Check that the network cable is connected correctly.

    A warning event occurred.  Event ID: 0xA004001B

    Generated time: 27/06/2014-17:05:06

    The event string: HP NC112T PCIe Gigabit Server Adapter

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:05:39

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name was LDAP/cadpdc.engineer.com/*** Email address is removed from the privacy *. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:05:39

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name was ldap/cadpdc.engineer.com/*** address email is removed from the privacy *. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:05:41

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name was of cadpdc$. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:05:43

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name used was GC/cadpdc.engineer.com/engineer.com. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    A warning event occurred.  Event ID: 0x000727AA

    Generated time: 27/06/2014-17:05:43

    The event string:

    The WinRM service could not create the following SPNS: WSMAN/CADPDC1.engineer.com; WSMAN/CADPDC1.

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:05:55

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name used was cifs/cadpdc.engineer.com. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    A warning event occurred.  Event ID: 0 x 84350444

    Generated time: 27/06/2014-17:05:58

    The event string:

    Information System Officer: health: Post errors have been detected.  One or more errors of Power-On-Self-Test were detected when the server starts.

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:05:59

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name was E3514235-4B06-11D1-AB04-00C04FC2DCD2/5122bd13-c8ac-4265-a879-3a6831224994/*** Email address is removed from the privacy *. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:05:59

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name used was ldap/cadpdc.engineer.com. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    An error event occurred.  Event ID: 0x0000410B

    Generated time: 27/06/2014-17:05:59

    The event string:

    The request for a new account identifier pool failed. The operation will be retried until the request succeeds. The error is

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:06:07

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name used was LDAP/cadpdc.engineer.com. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    An error event occurred.  Event ID: 0x0000041F

    Generated time: 27/06/2014-17:06:30

    The event string:

    The processing of Group Policy failed. Windows could not resolve the computer name. This can be caused by one or more of the following:

    An error event occurred.  Event ID: 0x0000041D

    Generated time: 2014/06/27 17:07:07

    The event string:

    The processing of Group Policy failed. Windows could not resolve the user name. This can be caused by one or more of the following:

    An error event occurred.  Event ID: 0x0000041F

    Generated time: 2014/06/27 17:11:32

    The event string:

    The processing of Group Policy failed. Windows could not resolve the computer name. This can be caused by one or more of the following:

    An error event occurred.  Event ID: 0x0000041F

    Generated time: 27/06/2014-17:16:33

    The event string:

    The processing of Group Policy failed. Windows could not resolve the computer name. This can be caused by one or more of the following:

    An error event occurred.  Event ID: 0 x 40000004

    Generated time: 27/06/2014-17:16:38

    The event string:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server of cadpdc1$. The target name used was LDAP/5122bd13-c8ac-4265-a879-3a6831224994._msdcs.engineer.com. This indicates that the target server could not decrypt the ticket provided by the customer. This can occur when target server principal name (SPN) is registered on one different account that the target service uses. Ensure that the target THAT SPN is registered only on the account used by the server. This error can also occur if the password service target account is different from what is set up on the Kerberos key for this service target Distribution Center. Make sure that the service on the server and the KDC are configured to use the same password. If the server name is not complete, and the target domain (ENGINEER.COM) is different from the customer area (ENGINEER.COM), check if it is the same name of server accounts in these two areas, or use the fully qualified name to identify the server.

    An error event occurred.  Event ID: 0x0000041F

    Generated time: 2014/06/27 17:21:35

    The event string:

    The processing of Group Policy failed. Windows could not resolve the computer name. This can be caused by one or more of the following:

    ......................... CADPDC1 failed test SystemLog

    Commencement of the trial: VerifyReferences

    ......................... CADPDC1 test VerifyReferences

    Running partition tests: ForestDnsZones

    Beginning of the test: CheckSDRefDom

    ......................... ForestDnsZones passed test CheckSDRefDom

    Beginning of the test: CrossRefValidation

    ......................... ForestDnsZones passed test

    CrossRefValidation

    Running partition tests: DomainDnsZones

    Beginning of the test: CheckSDRefDom

    ......................... DomainDnsZones passed test CheckSDRefDom

    Beginning of the test: CrossRefValidation

    ......................... DomainDnsZones passed test

    CrossRefValidation

    Running partition tests: schema

    Beginning of the test: CheckSDRefDom

    ......................... Schema passed test CheckSDRefDom

    Beginning of the test: CrossRefValidation

    ......................... Schema passed test CrossRefValidation

    Running partition tests: Configuration

    Beginning of the test: CheckSDRefDom

    ......................... Configuration test past CheckSDRefDom

    Beginning of the test: CrossRefValidation

    ......................... Configuration test past CrossRefValidation

    Running partition tests: engineer

    Beginning of the test: CheckSDRefDom

    ... engineer passed test CheckSDRefDom

    Beginning of the test: CrossRefValidation

    ... engineer passed test CrossRefValidation

    Running tests of the company: engineer.com

    Commencement of the trial: LocatorCheck

    ... engineer.com passed test LocatorCheck

    Commencement of the trial: cross-site

    ... engineer.com passed test intersite

    Hi Chamarasi,

    I suggest that you post the application on Microsoft TechNet forum because we have experts working on these issues. You can check the link to post the same query on TechNet:

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    Please do not hesitate to contact us if you have other questions related to Windows.

  • V3.3.4 replication problems

    I just upgraded to 3.3.4, and I see a problem with replication. I have two ACS servers and they are authenticating with a server CrytoCard. So I configured the external DB on both servers to point to it. I created the users and they are underlined as external DB. Everything works perfectly, even failover if I close the services on the main server.

    However when I replicate the failover doesn't work anymore. What I see is if I look at a user on the server to backup the password for all users authentication section is 'unknown Radius server. I choose the CryptoCard server and everything works fine again.

    Any ideas how I can fix/fix this?

    Any help would be appreciated. TAC also works on this subject, but I wanted to see if someone else has experianced this problem.

    BTW this forum works on a windows server...

    I think we can delete the old entry from the database that ACS will not re-index numbers but am not very sure about this one.

    Kind regards

    Vivek

  • The ACS installation problem

    I have problems reinstalling a server ACS (4.0 on Win 2003).

    I get a lot of error messages like:

    "Failure of line 194, CryptAqquireContext... V:\ismg_israel_acs\Acs\Crypto\init.c. »

    I have no disk called V currently mapped, and the name of this directory is certainly not familiar. It does not exist on this server at all.

    I used the same setup files on the other servers before without any problem.

    I also searched the registry for some of the channels in the error message, without finding them.

    It's really giving me a headache!

    If all goes well there's someone in the community who can help me on this.

    Hello

    Do not own you the V: drive. This is the location on the server where ACS has been compiled in this build.

    This could be due to a partially broken uninstall a previous version of ACS. You can try to get your hands on the clean utility (on the cd)?

    Or make one? findstr /I CiscoSecure *. * ? in your Application Data\... Microsoft... \Crypto\RSA\... and delete the file with the text of Cisco Secure container.

    Then you should be good to go.

  • ACS report problem

    Hello...

    I have GBA 2.6 (4) 4 and all the problems are happening:

    Authentication and authorization of the NAS work normally, but the accountants do not work properly. If I use accounting only exec, in the report connected' GBA users appears; OK, if I add the accounting level 0, 1 or 15 commands, users appears in the report is 'connected', but if I use any command (enable, show..., debug, etc.) users disappears in the report and that commands are presented in TAC + administration. I tried using ACS 3.1 and accounting works normally.

    Is this a BUG? If not, why I solve this problem?

    the configuration of my equipment is:

    ======

    Cisco IOS 2620 (C2600-I-M), Version 12.1 T7 (5)

    ======

    Console rate-limit logging 10 except errors

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authentication ppp default to group Ganymede + local

    authorization AAA console

    default AAA authorization exec group Ganymede + none

    default network AAA authorization group Ganymede + none

    AAA accounting update newinfo

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 0 arrhythmic default group Ganymede +.

    orders accounting AAA 1 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting network default start-stop Ganymede group.

    Default connection accounting AAA power Ganymede group.

    ====

    TKS.

    Yep, it's a bug.

    See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdv61239

  • 5.6 ACS authentication problem

    We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.

    The unit is installed on the network, etc. correctly licensed.

    I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.

    I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.

    When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".

    My aaa settings are

    radius-server host 172.25.50.8
    RADIUS-server timeout 3
    RADIUS-server application made
    radius-server key

    Miss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).

    any advice would be great. I'm new to this product.

    See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889

  • Version 4.1 ACS certificate problem

    Our self-signed certificate has expired and I tried to install a valid certificate of our internal CA. The generation of CSR, addition of our internal CA as a valid root, import and installation of the new key all seemed to go smoothly. However, when I restarted the service to activate the new cert I was no longer able to access the server via the web interface.

    Connection via the console allows me to see that everything works apparently fine, but I cannot manage the server through the web and therefore cannot add/remove/edit and entries.

    Attempted to update the certificate on the second certificate, signed by association with a car and he is also updated without problem, but the web interface works in this system.

    I need advice on how to get the web interface work.

    Can you give us some details on what happens when you try to access the server via a browser? What is happening in the browser? Messages?

    Have you tried using http: instead of https:?

    Have you tried another browser?

    Your ACS running Windows, it is the camera, or?

  • With Ganymede ACS authentication problem

    My organization was using ACS with AD to authenticate users for access to network devices.

    But lately, it does not work. There has been no known changes.

    Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.

    My apologies if this is naïve question, am not not so easy with ACS.

    Thank you!

    Hello

    There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a

    box that gives you the opportunity to "make sure that grant dialin permission is checked.

    Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.

    HTH

    JK

  • Cisco ACS installation problem

    Hello everyone.
    I have Cisco acs 4.2 on windows 2008 64 bit installation and get a very strange error when installing. V: ismg_israel_acs it gives some encryption error.
    Can someone please help me on this who have encountered the same problem. My project is stopped cause of it.
    Thanks in advance.

    Sent by Cisco Support technique Android app

    Hi Rizwan,

    If you're upgrading some version prerequisites ACS then I think you get something like this V:\ismg_israel_acs\Acs\Crypto\init.cpp

    You need to locate the old CryptoAPI container used by ACS, which may still be on the system.  This is normally located in C:\Documents and Settings\username that installed ACS> \Application\Data\Microsoft\Crypto\RSA.

    There will be one or more files will be very long filenames hexdecimal. You must identify the right one.

    Open a command prompt in that folder and type "findstr /I CiscoSecure *.» ' * ' - the file name that appears should be the

    old container of ACS.

    Let me know if you will be able to search for any file.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • NAR ACS Configuration problem

    Hi all!

    I have a problem with the configuration of the network access restrictions.

    I put the function through the shared profile component and group level NAR also, but none of them doesn't work.

    My test AAA client is a simulator of customer RADIUS of VASCO. I thought that this software does not send the correct RADIUS attributes, behavior of the ACS is never prohibitive, but sometimes, it should be.

    I also tried with version 3.2 and 4.2.

    Y at - it a tip or something that I messed up?

    Thank you for the answers!

    For wireless users, you must use CLIS/DNIS based access restriction.

    If you the corresponding IETF Radius user wireless access point, basic authentication should work, but question would be with a part of the authorization.

    Kind regards

    ~ JG

  • ACS ping problem

    Hey guys!

    Need your help!

    I'm setting up an ACS 1113 and I had a weird problem, I turned off the CSA to enable pings ok, it works on my PC for ACS but GBA cannot ping my PC!

    I also have another problem, I can access the ACS and all configured but when I put it on the network I can't access it, then I put it directly connected to my PC I can access the web interface normally.

    I don't know what happened... I saw a post that says that I should set up directly connected to the network... but I did not I have connected my laptop and composes the tests before putting on the network...

    Someone knows why? and what is the job for her arround?

    I have attached the ping information and my Ipconfig for my laptop and one following the 'show' connected to the console

    Quote

    Cisco Secure ACS: 4.2.0.124
    The application management software: 4.2.0.124
    Ask tiBase Image: 4.2.0.107
    The session timeout: 10
    Last reset to zero hour: Fri 27 Aug 13:06:44 2010

    NTP servers: 10.21.4.1

    Free CPU on the free physical memory disk load
    Memory of MBhysical 749 109 GB 0.00%

    IP of the server configuration
    DHCP active...: No.
    ... The IP address: 10.21.4.61
    ... Subnet mask: 255.255.255.0
    ... Default gateway. : 10.21.4.155.0.
    DNS servers...: 10.21.4.11
    10.21.4.21

    CSAuth race
    CSDbSync race
    Case running
    CSMon race
    CSRadius race
    CSTacacs race

    CSAgent stopped
    End of quote

    Console ping tests

    gavprdrjlacs01 > ping 10.21.4.62

    Ping 10.21.4.62 with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 10.21.4.62:
    Packets: Sent = 4, received = 0, lost = 4 (100% loss)

    gavprdrjlacs01 >

    gavprdrjlacs01 > ping 10.21.4.61

    Ping 10.21.4.61 with 32 bytes of data:

    Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">
    Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">
    Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">
    Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">

    Ping statistics for 10.21.4.61:
    Packets: Sent = 4, received = 4, lost = 0 (0% loss),
    Time approximate round trip in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, average = 0ms

    Thanks mates!

    Your default gateway is listed as 10.21.4.155.0, which means that the 1113 will not be able to reach something outside the local network.

    You can fix this by issuing a "set ip" on the CLI and guests.

  • Cisco ACS taccas + problem with authentication

    I'm having a problem authenticating to a switch using taccas + my ACS 5.2 server. I can actually do a 'test of aaa group taccas + username password inheritance' and returns a successful user authentication. When I try to use this same account to authenticate the switch, it is unsuccessful, and I'm not even that attempt to hit GBA.

    Most likely, is a configuration of Miss of the AAA command on the switch.

    Sent by Cisco Support technique iPad App

  • ACS 4.2 to 5.4 ACS replication of databases

    Hi all

    I would like to know if its possible to install replication of databases of the Cisco ACS server ACS 5.4 4.2 Server?

    Thanks in advance

    Mohsin sarr

    Unfortunately, database replication (update of the trigger) cannot be performed because it requires the two ACS boxes to run the same code.

    If you meant migration then yes it is possible.

    Migration from ACS 4.x for ACS 5.4

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/migrate.html

    Jatin kone
    -Does the rate of useful messages-

Maybe you are looking for