Cisco ACS 5.3 patch 8 Volume OPT
Hello
We currently have 12 ACS unit with one of them being a dedicated newspaper collector. We have authentication of 802. 1 x configured for network and Wi - Fi ports. We are authenticating desktop, laptops, smart phones, etc. on our network.
The problem we have is the volume of the OPT exceeding 30% volume size recommended by Cisco TAC after a few months. We have recently added more resources on our network (fusion). We are now on the size of 30% in about 1 month.
In the past, we called Cisco TAC when we had problems with performance Log Collector. It's time was also authenticate clients 802.1 x. We have added a new device and is a dedicated Log Collector. They would check the volume of the OPT and to find that it was about 70% use the size. They launch the Console Root patch and delete the DB and then re-create. We did about 2 times before starting to monitor the size of the volume OPT.
This last time, we ran in the 30% the size of volume more rapid then we had previously. I got a Cisco TAC volume of the OPT to delete and recreate it.
Cisco TAC recommended that we reduce the amount of logs that are sent to the collector of the newspaper. We are currently investigating this option.
The questions I have is:
What percentage of size for the volume of the OPT should be concerned until it starts impacting on the performance of the Log Collector?
Is there another thing we can do to reduce the amount of logs that are sent to the Log Collector?
We have data purge set to 30 days. We are complete and incremental database backups. We also have local send logs to a Syslog server.
We test them make changes to send only AAA Audit logs and statistics system of Log Collector.
Thank you
In the distributed configuration, its recommended to set up a secondary server dedicated as a collector of newspaper. However you have a large deployment, so I'm sure that authentication rate would be too high causing Dungeon size view-basic data on the increase.
In order to avoid running out of disk space, we need to manage. This means identifying the files that are created and written by processes on the system, allocate a budget to space them as if the files remain in their budget all the services can be supported without interruption, then define and implement the necessary facilities so that these files in their budget.
There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
1. air scan: this mechanism the data will be purged based on the retention period of data configured or arriving at the upper limit of the database. In Patch 6 new provided option to demand purging as well.
2. compress: this mechanism frees up unused space in the database without deleting all records. Before the compress option can only be performed manually. GBA 5.3 Patch 6 there are improvements so it will automatically work every day at a preset time, when specific criteria are met.
What percentage of size for the volume of the OPT should be concerned until it starts impacting on the performance of the Log Collector?
The TAC recommendations are right. You will be able to use all the ACS function if / opt is less than 30%.
Is there another thing we can do to reduce the amount of logs that are sent to the Log Collector?
It seems that you use most of the features/mechanisms to have / low opt. However, you may be interested to read more about scrub data and data compression improvements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
S ' Please use System Administration > Configuration > journal Configuration > Logging categories > Global to configure only the logs required the sending to the ACS View log-collector.
-Provide the cool screenshot of the page Configuration Monitoring > System Operations > Data Management > removal and backup.
-With the below listed command you can check real and physical terrain database size
ACS-config
Username: acsadmin
Password: *.
acsview show-dbsize
There are some known defects on the same subject. However, the version you use improves database management process.
CSCto47203: ACS 5 runs out of disk space
CSCua51804: see backup fails even when there is disk space
Jatin kone
-Does the rate of useful messages-
Tags: Cisco Security
Similar Questions
-
Cisco cisco ACS patch location site
Hello
I want to install cisco Acs 4.1 and I'm looking for the location on the Web site for patches can you please give the path?
Thank you
For ACS for windows:
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
For ACS SE:
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
Kind regards
Prem
-
Cisco ACS SE GANYMEDE + accounting fails
Hello
I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
When I enable aaa accounting debugging, I get the following logs on the switch.
001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)
001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS
001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
'show running-config '.
" 001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list
001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +)
001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS
001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
' configure terminal '.
" 001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list
001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +)
001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS
001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug.
Is there something that I am missing?
Thank you.
ESD
And what you get in the newspapers of Ganymede Administration?
Kind regards
Prem
-
Hello
I just installed Cisco ACS 5.5.0.46. We managed to get Juniper devices to authenticate using RADIUS.
The problem is that the authentication logs are empty.
I intend to patch the ACS of Update Rollup 4 for tonight, hoping that it can fix the problem.
Can someone advise?
Concerning
Vijay
Good to hear your issue was resolved. Also, thank you for taking the time to come back and post the solution to the problem! (+ 5 from me). Now, if your issue is resolved, please check the thread as "answered" :)
-
Cisco ACS 4.2: The most important to back up files?
Dear Sir
Can you tell me what are the most important files to back up in the Cisco ACS directory?
Currently, I am only backup (with Symantec Backup Exec):
C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups
* But, I would like to know if my server crash, can I restore the entire configuration with the files listed in the directory below? (Users, groups, groups of devices, AD, mapping, users, groups,...)
* The Cisco ACS there change in the Windows registry?
* Is it necessary to reinstall the Cisco ACS, if I need to put in an emergency on a new server? I guess Yes, because the installation creates services, etc.
I ask this question because it takes time to install the patches...
* Or, can I save all the Cisco ACS directory... On a new server, install the Cisco ACS and restore the backup?
Thank you very much for giving me your experience about it.
Kind regards
You should back up the files that come from ACS backups, i.e.
System configuration > backup GBA, the location that is specified in this section.
And the default location is the one that already save for example "C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups"
In case you are required to host ACS on a new server, you would be required to re - install the complete application of the CSA and then simply take the last backup and restore in the newly installed ACS. It will be to restore everything users, group etc. to etc. of the external database mappings.
When you install ACS on a new server, then make sure that if you run them Services ACS with a service account (this is required for the authentication of the window according to your requirement), you would be required to run new services with this account too, and which may require that go you through the following documentation.
Kind regards
Prem
Please rate if this can help!
-
Upgrade to Cisco acs 1120 to 4.2.1.15 help
Hi all
I downgrade of cisco device 1120 DCC acs 4.2.0.124 5.0, I need to upgrade to acs 4.2.1.15. Is device 1120 cisco acs supports 4.2.1.15, how do I upgrade 4.2.0.124 4.2.1.15.
There are any server distribution for the upgrade. Please suggest on this, thank you
Yes, you can upgrade it to 4.2.1.15 and you can download the version from the link below listed;
http://Tools.Cisco.com/Squish/d4e4A
Here are the files you need to download:
ACSse-Upgrade-Pkg-acs-v4.2.1.15-K9.zip
ACSse-Upgrade-Pkg-appl-mng-v4.2.1.15-K9.zip
: Note apply the upgrade of management first and then software update. ..
Distribution server is a machine where you can download the patch on the Cisco Secure ACS Appliance, so if you download the version on your laptop and download then only one distributor (nothing special)
Upgrade an application of 4.2.1.15
I hope this helps.
Rgds, jousset
Note the useful posts ~
-
[Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid
Hello
I had a lot of Cisco AP related to Cisco WLC 2.
On each WLC, I configured a primary and a secondary RADIUS server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
ACS primary and secondary configurations are synchronized.
There is no problem between primary rules WLC and Cisco ACS (primary and secondary).
When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.
WLC secondary contacts automatically secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."
The two Cisco ACS are synchronized, so I should have the same error on them...
Why primary ACS generates this error?
Thanks for your help,
Patrick
Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.
Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
The upgrade to Cisco ACS SE and Remote Agent
Hello
Currently we are upgrading the PDC to Windows Server 2008, Standard Edition R2.
I am little confused with information available for upgrade scenarios. Appearing on the current working versions.
Cisco ACS SE - version 4.1 Build 23 5 Patch 1
Cisco ACS Remote Agent version 4.2 (0.124)
The new operating system will work on 64-bit, I think that the current ACE SE and the remote agent can / must be upgraded.
My existing versions, give the possible scenarios of upgrade available for me. After that upgraded SE and Remote Agent should work for the 64 bit OS.
Thanks in advance!
Yes, it is not possible to upgrade the ACS ACS 5.2 existing to level 4.1. They are two different boxes run on a different platform.
Unfortunately ACS 4.x does not support windows 2008 r2.
5.2 ACS is the only option left, and you will need to buy a new box of seprate with the new licnese for this.
Concerning
Bellefroid
Note the useful messages
-
[Cisco ACS 5.2] Disk partitions used by display of the CSA?
Salvation (and happy new year)
In Cisco ACS 5.2, there are several disk partitions:
Which partition is used by the view of the CSA?
A document that explains all the features of partitions exist?
Kind regards
Patrick
Patrick,
I'm not aware of a document that explains all the ACS 5.x Disk Partitions. However, I can assure that the display of the ACS are stored on the/opt partition.
If you have an ACS 5.x on a Production network, one of the requirements is to install using the 500 GB HARD disk. The / opt folder on a 500 GB ACS reserves 347 Go to this folder (/ opt) because it stores the information in view of the CSA (reports and newspapers). It is the large partition as ACS View data includes all the ACS reports.
I hope this helps.
Kind regards.
-
Good evening. I have problem with ACS 4.2 and AD, autification on PC I have an internal error. In RDS.log, I have this line:
Error authentication UDB_NT_UNKNOWN_ERR (DOMAIN)------(USERNAME) - no response sent to the NAS
I already checked coat of physhic problems, dot1x switch configured, agent remote ciscosecure installed.
Hello
Is the file also considered Auth.log "Windows authentication FAILED (error 6L)" for the same RDS timestamps and failures?
Also, what version of ACS (include the Patch) are you using? You log on Windows Server 2003 or 2008 or 2008 R2 AD?
NOTE: Remember that 2008 R2 AD is not supported by any 4.x version of ACS.
Also, make sure that you have complied with the following requirements:
Check that apply to you as there are has two options: Member Server Windows or a Windows domain controller.
Kind regards.
-
Selection rule for the 5.2 Cisco ACS Service
Hello dear,
I'm trying to configure the Cisco ACS 5.2 to Dot1x of authentication for clients on windows 7 & windows XP, I did all the steps but I could not create Service rule, it gives me an error message that you can see in the attached screenshot.
After that I specify the allowed protocols it gives me the choice to choose the choice of identity and the is ' t it give me this error.
your help is very appreciated.
Kind regards
Ibrahim
Try another browser like Hussam suggested and let us know the results.
I updated FireFox to 15.0.1 and now I am not able to manipulate many parameters with ACS 5.3
Version of this browser is extremely stupid with ACS 5.x, but it shows not all message boxes. It just does not display the page when you click on the link.If different browsers show the same question, I would say that you restart the machine (physical or virtual) completely and try again.
It is also best to upgrade to the latest patch, if this is not already the case.
Greetings,
Amjad
Rating of useful answers is more useful to say "thank you".
-
Version of Cisco ACS 5.1.0.44.3 integrate with active directory server from Microsoft windows 2012?
Version of Cisco ACS 5.1.0.44.3 integrate with active directory Microsoft windows 2012 R2 server?
Unfortunately, it does not support R2 2012
5.1 ACS supports all editions of:
Windows Active Directory (AD) 2000
Windows AD 2003
Windows AD 2003 R2
Windows AD 2008
Windows AD 2012 R2 is supported after ACS 5.5 patch 1 and following.
Please find below the steps to go from 5.1 to 5.5 hotfix 1:
STEP FILE COMMAND Apply the 5.1 patch 6 5-1-0-44 - 6.tar.gpg ACS patch install repository 5-1-0-44 - 6.tar.gpg ftp_repository_name Apply 5.3 ACS_5.3.0.40.tar.gz application upgrade ACS_5.3.0.40.tar.gz ftp_repository_name Apply the patch 5.3 8 5-3-0-40 - 8.tar.gpg ACS patch install repository 5-3-0-40 - 8.tar.gpg ftp_repository_name Apply the sharp Patch Pointed-PreUpgrade-CSCum04132-5-3-0-40.tar.gpg ACS patch installs Pointed-PreUpgrade -CSCum04132- 5-3-0 - 40.tar.gpg repository ftp_repository_name Apply 5.5 ACS_5.5.0.46.tar.gz application upgrade ACS_5.5.0.46.tar.gz ftp_repository_name Apply the patch 5.5 1 5-5-0-46 - 1.tar.gpg ACS patch install repository 5-5-0-46 - 1.tar.gpg ftp_repository_name Best regards ~ jousset
-
Problem with certifcate on Cisco ACS
We want to authenticate our internal wireless users using our Cisco ACS running 5.3. GBA questions our Active Directory environment for the user name and password provided. I created a CSR on GBA and it provided to Entrust. They gave me a root certificate, string and server. I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates. I then added the chain and the root certificates to the users of the site and identity stores > autorités. When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below. This certificate is to Entrust and I see the certificate root in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have all the answers. They say it's a problem of the client machine.
In case you want to check your configuration settings.
http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml
~ BR
Jatin kone* Does the rate of useful messages *.
-
Hello
I currently have a Cisco ACS 3.3 Server. I want to upgrade the server to the latest version and cluster with one another so that we can have a redundant infrastructure because if one fails it also includes...
Can provide you a solution for this?
Thank you
Hello
The latest version is 4.1 ACS. You can upgrade 3.3.3 build 11 directly to 4.1.
Then, you can install an another ACS 4.1 on a different machine and replication configuration between these two. In this way, you will need to make changes to only one that ACS and the secondary will be automatically updated.
Once these two are defined, you can set both of these servers as a server Radius/Ganymede on devices and there will be a redundancy.
Kind regards
Vivek
-
How can I use Cisco ACS to save Shell commands
Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.
I have these lines on my router:
...
AAA authorization config-commands
AAA authorization exec default group Ganymede +.
AAA authorization commands 15 default authenticated if
AAA authorization network default group Ganymede +.
...
It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?
*****************************************************
I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.
If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.
orders accounting AAA 15 by default start-stop Ganymede group.
Maybe you are looking for
-
Out of memory when upgrading of the Sierra and cannot restart (didn't return to the top)
When I am upgrading to Sierra, my Mac is not enough storage. So it suggests me to reboot and try to install again. I clicked to restart button but it still install MacOS Sierra. You know a way to access the OS X EL Capitan (my previous operating syst
-
Click the link for bank statement open to start an application. Safari does not.
I recently changed my financial from Safari to Firefox work because I'm always on Mac Book Pro Snow Leopard 10.6.8 and, according to a recent article in the web, Firefox will ensure better security than Safari, now that Apple has stop security update
-
My wife has not used his Palm for a while and we decided to sell it. First I wanted to be sure that their information has been completely erased. The computer, she has been using HotSync and long since gone for recyclers. I decided to load the softwa
-
How to install the version of nor-Sync 3.1 in the remote system (processor integrated PXI chassis) to recognize the PXI-6682 device to work with labview RT? Hung Nguyen
-
HP Compaq dx2300 format microtour
I have a HP Compaq dx2300 microtour with the following BIOS:Phoenix Technologies, LTD MS7336 1.08, 25/05/2007 I want to upgrade BIOS, but apparently there are no BIOS version unlessyou are running Windows 2000, XP and Vista.Since I have Windows 7 ins