Cisco Secure ACS 3.3 (1)-> 4.0 upgrade problems (1)

Hi all!

I have problems updating my primary ACS since version 3.3-> 4.0

I always get the following error message, then it does the upgrade:

"The record of the CiscoSecure ACS seems to be blocked by another application: C:\Program Files\CiscoSecure ACS v3.3.

Please close all applications... blabla... »

The thing is, I have improved my ACS backup first, and this upgrade worked like a charm.

In both cases, both for the primary and backup I do a takeover with Dameware remote, copied the ACS 4 folder on the hard disk of the server and make the upgrade of this folder.

As I said, the upgrade of backup server worked without a hitch.

That's what I tried:

1. I checked that NO application use the 3.3 ACS file and no Explorer window is open on this folder or subfolders.

I checked using a small program called Filemon.exe from Sysinternals. According to this program, anything accessed said folder.

I also checked it again by renaming actually ACS 3.3 file once I stop all services of the ACS. I could not rename the folder if the services have been started.

2. I tried to stop the ACS services first and then make the configuration, got the same error.

3. I have disabled the antivirus software, got the same error.

Basically I am at my wits end now...

However, I have two options:

1. uninstall ACS 3.3, do a clean install of ACS 4.0 and import the data of all the GBA backup.

Who would not raise by the primary association with the ACS configuration backup? So I think I will need to go on it later and make changes, if necessary?

2 make a backup of the ACS 3.3 with csutil b

Uninstall ACS 3.3, do a clean install of ACS 4.0 and import all the data with csutil - r

Would this work? I've seen conflicting information here in this forum, some say that it works, the other say it's not.

I'm a little confused why it worked so well the GBA backup but fails on the primary ACS.

Any help would be greatly appreciated!

Thank you!

Ivar Thorolfsson



Folder lock message often appears if newspapers located in the directory of the ACS are too big.

Move the logs of the following directories: -.









Then try to upgrade.

Kind regards


Tags: Cisco Security

Similar Questions

  • Cisco Secure ACS Solution Engine ping

    1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

    2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

    By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

    For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.



  • Cisco Secure ACS vs IAS in Windows

    Hi all

    I need deploy an AAA for the following situations.

    (1) remote access via Cisco VPN Clients.

    (2) AAA for wireless windows PC in remote areas

    (3) AAA for Cisco switches and routers in remote areas

    (4) authentication with a windows domain

    The the Windows IAS would be virtually free that we already have Windows 2003 domain controllers at each remote site. However, Cisco Secure ACS might also be an option. Not all have experience in these two?

    What are the positives\negatives of each? and limits?

    Does anyone have any information on case study etc. in comparing the two?

    Your help is greatly appreciated.

    Kind regards


    PS: There is a limitation in Windows 2003 Standard edition, which limits the number of Radius clients to 50. Although we have more than 50 potential clients in society, no site has more than 50 altogether.

    MS IAS allows you to implement the solution using only the RADIUS protocol

    ACS offers the feature to use RADIUS as well as GANYMEDE.

    Looking 4 solutions you want to implement, only 3rd solution will be a little easier with GANYMEDE, but even once it not something you can not implement using RADIUS.

    On the limitation of Radius client, ACS offers a large database that you can use for customers, so limiting to 50 customers. In addition many many features, you'll love to integrate into your network as the NAP/NAC implementation, made it easier.

    So you need to check if you have the budget, you can go to ACS, IAS on the other can work well for all solutions (except limitation of radius client, I m sure that MS can provide a workaround solution).

    the following link can help you with information on sales of ACS:

  • Cisco Secure ACS 4.2 on VMware ESX 4.0.

    We must move from ESX 3.5 to ESX 4.0 a virtual machine running Cisco Secure ACS for Windows version 4.2.

    This solution is compatible and supported by Cisco?

    Thank you.


    ACS Windows 4.2 is not supported by Cisco, when installed on VMWare ESX 4.0 in accordance with the following documentation:

    Only ACS 5.1 is supported on ESX 4.0:

  • With Cisco Secure ACS for Windows GANYMEDE +, authentication fails with AD

    I'll put up a Cisco Secure ACS 4.2 server to act as a RADIUS server for switches and routers I use Windows 2003 server for the candidate countries.
    and an Active Directory of Windows 2003 server.  The ad server is very good, it is used for many other things.

    I've implemented ACS as defined nit it installation guide, including all the steps in the "Member Server" section of the installation guide
    When you use AD as an external database (e.g. setting up services to run with a domain administrator account, set up a machine called "CISCO"
    on the field, etc.).

    I've set the unknown user policy to use the database of Windows, if the internal database does not contain the details of the user.

    If I add a user to the internal database, authentication goes through fine, with an entry in the journal "Authentication," spent

    02-24-2010, 05:07:03, authentic failed, eXXXX, Network Administrators (NDG), X.X.X.X, (default), internal error, (get the internal error error message)

    I scoured google etc and just cannot come up with any reason why this should be the case.
    I followed all of the installation to the letter guides.  I need to get this up and running as soon as possible,
    so am eager to know if someone can help me with this one!

    Thanks and greetings



    Internal error is fairly generic, but a common situation, we see this error is when ACS is installed on a

    64-bit computer.  ACS would not work with the active Manager when it is installed on the 64-bit before machines

    ACS 4.2.1.


  • Cisco Secure ACS 5.3 SNMP agent does not


    I have problems with the SNMP on Cisco Secure ACS 5.3 agent (patch level 5) stop, is there a quick way to restart the SNMP daemon via the command line?


    I understand where you come, I encountered the following bug:


    The process of the SNMP agent in demon device ACS stops.

    and reboot the box will bring him back to the top and after about 3 days, he'd stop. I just want to see if it's the same bug that could be back in patch 5. The best thing to do at this stage is to plan a quick down and restart the box to see if the snmp process starts again. If this then gives IT a week to see if the snmp Protocol falls down. If it does then make reference to this bug and open a new case of tac for repair. If not, then you should be in the clear.

    Thank you

    Tarik Admani

  • Cisco Secure ACS 4.2 Windows authentication of different domain


    I have a Cisco Secure ACS for Windows Server 4.2. The server belongs to a domain and the domain, the users belonging to a certain group are authenticated.

    Now, I have to change the configuration of the server and reassign it to another area. There is no trust relationship between two domains and I would like to know if users can always be authenticated against the previous domain.


    First of all, take backup (by measure of precaution in order to restore config if something goes wrong) then continue witht the following:

    -Remove the configuration of the windows domain (group... mapping etc) from the server before changing the field.

    -Change the domain membership, and then restart.

    -follow the missions post-disiez for ACS (see this link):

    -Configure the external database again on GBA (group mapping, strategy unknown user... etc).

    You should note that if the new domain controller is Windows Server 2008 R2, which is not supported by ACS 4.x.



    Rating of useful answers is more useful to say "thank you".

  • Cisco Secure ACS appliance - impossible to edit... Reason: The host no longer exists.

    Hi team,

    I have 2 camera which I am not able to remove a group of network devices home device.

    When I try to remove the device after error is thrown

    Impossible to edit INMUM-VPE-T1-3rdFloor-3750-S...  Reason: The host no longer exists.

    Running on Version: Cisco Secure ACS4.2.0.124

    One would come in all of these issues. someone knows the solution.



    Hi Vineeth

    Yes, you can do through GUI.

    The GUI:

    1 ACS gui > network configuration > click on 'Search', then click 'Search' again.

    2. complete list of all network devices. On top, you will see an option "Download".

    Download the complete file.

    Let me know if it helps.

    Thank you

    Nelson Saha

  • Cisco Secure ACS 5.1 and strong authentication ACS administrators?


    Is it possible to authenticate administrators using an RSA SecurID token?

    There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

    (I'm under Server Secure ACS

    Thank you


    Hi Christophe,

    Unfortunately not.

    The DB supported only for accounts of Administractors is the internal DB of GBA.

    I hope this helps.


  • Cisco Secure ACS Solution engine v3.2

    Device equipment ACS Soultion engine by default comes with two network adapters. Can I configure it so a Nic on VLAN 30 and the other VLAN 50 network card?

    VLAN 30 - will be the network who communicate or provide credentials for authentication of the ACS Remote Agent for Windows.

    VLAN 50 - will be for authetication of network devices. RAIDUS or TACAUS.

    This is not possible as single network adapter works both. (Look for the rear Control Panel items)

    Kind regards


  • Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

    / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}


    I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

    I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

    I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

    Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

    Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

    Default: refuse

    In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

    But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

    My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

    The stages of monitoring:


    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    Assess Service selection strategy

    15004 Matched rule

    Access to Selected 15012 - NetOp/NetAdm service policy

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity Store - server RSA

    24500 Authenticating user on the server's RSA SecurID.

    24501 a session is established with the server's RSA SecurID.

    24506 check successful operation code

    24505 user authentication succeeded.

    24553 user record has been cached

    24502 with RSA SecurID Server session is closed

    Authentication 22037 spent

    22023 proceed to the recovery of the attribute

    24628 user cache not enabled in the configuration of the RADIUS identity token store.

    Identity sequence 22016 completed an iteration of the IDStores

    Evaluate the strategy of group mapping

    15006 set default mapping rule

    Authorization of emergency policy assessment

    15042 no rule has been balanced

    Evaluation of authorization policy

    15006 set default mapping rule

    15016 selected the authorization - DenyAccess profile

    15039 selected authorization profile is DenyAccess

    11003 returned RADIUS Access-Reject

    Thank you


    I think you need to do is to create a sequence of identity with RSA as a selection in

    Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

  • DISCONNECTED in Cisco Secure ACS AD

    We have ACS


    As disconnected Active Directory showing connectivity

    We faced the same problem when he was 5.x, we went to


    After 2.5 months now, we have faced this problem. Permanent any solution for this.

    Restarting the service got suspended and where we rebooted the server to fix.

    Please help on this as soon as possible.

    Thank you best regards &,.

    Sakthivel M

    You questions'are running one of the code and patch of ACS more stable if we are talking about ACS - AD. I don't know that it should not be a problem with the ACS. Something is not configured correctly. Most likely a problem of DNS or NTP.

    In order to deepen and to know what might be the causes, you will need to provide some information and newspapers when it happens again.

    1.] we have ACS currently running on the machine or Vmware?

    2.] when you say that it is in the disconnected state, you see do both authentication failed or it shows just disconnected status. In case of failure, what is the error, we get in the section logging ACS? In addition, you can see test connection arrive at positive results?

    3.] what is the status of the customer-ad on the CLI service, can be verified with "view the status of the acs application" when you say its disconnected?

    4.] in addition, when you try to join again while it is disconnected, you see an error? can you share?

    5.] more importantly, debug level logs would tell us the real story. Before you reproduce the problem, we must look at the newspapers to the debug level. (If this can not be reproduced then wait the issue reproduce)

    Go to the ACS CLI:

    ACS / admin # acs - config

    Escape character is CNTL/D.

    Username: acsadmin

    Password: XXXXXXXX

    ACS/admin(config-ACS) #.

    Set newspapers ACS desired debugging level.

    ACS/admin(config-ACS) # debug level to debug-log duration

    ACS/admin(config-ACS) # enable debug-adclient

    NOTE: once you have finished, put newspapers.

    Generate the support beam and download it here. Talk about the timestamp when the questions has been reproduced, it will help me track down the newspapers concerned.

    Jatin kone
    -Does the rate of useful messages-

  • Cisco Secure ACS 4.1 - blocking attempts to authenticate to a specific host

    We use the application of RADIUS of ACS 4.1 for both wireless 802. 1 x and for our old PIX 515E authentication, as well as a few other features.

    We try to migrate users off the PIX and want a method of disabling their ability to connect through the PIX once we have them migrated to the new method of remote access.

    Authentication in ACS logs show the IP address of our PIX under "NAS-IP-Address" as the source of the authentication attempt.

    Is there a relatively simple/easy way to block this IP address attempts (which causes these attempts fail) all by allowing wireless systems and others to proceed as usual on a per user basis?


    If I have understood correctly, you must allow users to connect to the wifi but prevent users to connect via PIX.

    What you can do is to create a configuration of access network (OAN) Restriction under the config görüş (or under Configuration user if each user).

    See this image:

    If you don't see the network access restrictions config under the user and/or group config, you can activate the Interface-> advanced options configuration.



    Rating of useful answers is more useful to say "thank you".

  • ACS 3.3 to 4.0 upgrade problems


    I have a Cisco ACS 3.3 running on a win2k platform server and I need to upgrade to ACS4.0 on win2k.

    -3.3 backup and restoring files on web interface 4.0 does not work;

    -the same operation using csutils.exe works not (csutil b [...], then csutil - r [...])

    -J' installed the new machine with ACS3.3, I imported the data/group/user with csutil, then I installed ACS 4.0 using setup.exe. The result is that the ACS services will not start

    Anyone know what I need to do?

    Thank you


    Hi Antonio,.

    -3.3 backup and restoring files on web interface 4.0 do not work.

    * It won't work, because in ACS we can back up and restore the database among same versions only of the ACS, also applies to replication.

    -the same operation using csutils.exe works not (csutil b [...], then csutil - r [...])

    * Answer will be the same as above.

    -J' installed the new machine with ACS3.3, I imported the data/group/user with csutil, then I installed ACS 4.0 using setup.exe. The result is that the ACS services do not start.

    * Normal this is if you hit a bug, that when we try to upgrade a database of ACS 3.3 (x) xx of ACS 4.0 build we have leak customer spaces AAA and/or servers writing AAA in databaae, and that can cause a problem. But we cannot not be hitting this bug.

    How to upgrade:

    [1] make sure we follow the path correct upgradation and supported:

    [2] then follow following steps upgrade:

    Summarizing link above, just run installation of ACS 4.0 on an existing installation of ACS 3.3, and the installation program will ask itself, to save the previous configuration, select Yes at this time.

    Let me know if it helps. Please rate if this helps.

    Kind regards

    Rafael Lanna

  • Secure ACS: Special-attributes RADIUS for Enterasys E7


    We were in a pretty old version of the Cisco Secure ACS for AAA our network devices.

    Unfortunately, the server crashed a needed to install and configure it with a new server.

    GANYMEDE + for our devices using Cisco works very well.

    We have a couple of switches made by a seller called Nexans, which support only the RADIUS - it works fine also.

    In addition, we have still a few E7 Enterasys and with those RADIUS does not at all.

    Sniffering packages, everything looks good.

    With the old server has worked well.

    Does anyone know if there are special configurations (attributes, for example) when you configure a GBA for the RADIUS Enterasys customers?

    Thank you


    Try this

    ID attribute [011] filter to ' Enterasys:version = 1:mgmt = su:

Maybe you are looking for