The ACS replication ports

Hello all, I have two ACS 3.3 and I try to replicate but it does not work. The topology is something like this:

ACS1<->PIX525<->RouterTelmex - Internet - RouterTelmex<->ASA5540<->ACS2

I test a lot of things, and I guess that the problem is in ASA5540. So the question is: is anyone know which ports need to be opened in ASA5540 to allow replication? I know there must be opening of port 2000, but I think there must be some ports more.

Thank you very much.

Gabriel

Hello Gabriel,

I know, you only need port 2000 to open for replication of the ACS.

BTW, did you skinny inspection enabled on the ASA. The ACS replication is running on port 2000 who also happens be the same port as the Skinny Protocol. Make sure that he lean on the two firewall inspection is disabled and see if you can get the replication.

no correction protocol 2000 skinny

I hope it helps.

Kind regards

Arul

* Please note all useful messages *.

Tags: Cisco Security

Similar Questions

where is the secret field shared for the ACS 5.3 server itself?

Hello

We currently have a distributed PR and DR ACS 5.3 installation, implemented with Ganymede and a unit RADIUS.

The RADIUS is AppResponse Xpert admin. used Opnet we try to intergrate AppResponse Xpert Admin with ACS.

The GUI for AppResponse Xpert Admin request the ip address of the radius server - IE our ACS, RADIUS port - is to say 1812 and 'secret' - I assume that means the secret shared real AEC itself (not the shared secret used by network devices).

On our ACS 4.2 systems, we have a field for a secret shared on the ACS itself Server (to allow replication?).

With the help of the search function for "Shared Secret" in pdf format "the User Guide for Cisco Secure Access Conrol system 5.3" has only found references to define one for network devices and not a ground for GBA is.»

A shared secret of the ACS server is still topical for the 5.x ACS system?

Hi Stuart,

To answer your question:

There is no shared secret for the ACS itself.

If the ACS needs to communicate with another device, you must define an AAA client and define a shared secret.

ACS 4, used this secret shared to protect/secure replication, the ACS 5, secured by encryption replication and not shared secrets (hash).

Rate if useful

Change IP of a device of the ACS

What will break if I change the IP address of the device TO 4.2? I need a few of them to assume the IP addresses of our existing production boxes. Apart from the re-manual setting the IP SE through the console, reconfigure the AAA/replication server and the ACS Agent Config provider IPs, is there something that is "lost" permanentnly broken when you reset the IP address?

Thank you!

Yes, dynamic mapping is created when the user connects, but this will be a default mapping. All users will be mapped to the default group.

Incase you have permission set up on the basis of the group, it will not run.

If you have all the users that are not mapped to the default group, then no need to worry.

Kind regards

~ JG

Note the useful messages

ACS replication problem

I have two ACS with replication configured. Manual replication works fine, but when setting up scheduled replication, server said "preliminary checks indicate a unnecessary outgoing replication - completed cycle. Even if the new features have been added to the main server, replication is irrelevant.

Any thoughts?

Please check this bug,

CSCsd02854 : automatic replication has not triggered after changing the config

components

Symptom: When it is configured for automatic replication, only the changes to the users/groups/SPC are replicated automatically. Changes to the configuration of NAS, Admin, PAN, external databases

components do not replication trigger.

Conditions: This is seen when the automatic replication (intermittently or at a specific time) is configured.

Solution: Start the replication manually after configuration changes for the affected

components have been made.

http://Tools.Cisco.com/support/BugToolKit/action.do?hdnAction=searchBugs

Please make sure that the secondary ACS server, we have all the replicated network devices

from the primary ACS server successfully. If they are not, and we have configured replication scheduled to take place, then we are hitting this bug.

Kind regards

~ JG

Note the useful messages

4.2 of the ACS and Kaspersky antivirus

Hi all

I want to install Kaspersky Anti-virus on ACS version 4.2 with windows 2000.

It is aplicable or not?

Thanks in advance,

Ayman Yehia

Hi Ayman,

As a general rule of thumb, there should be no limitation to install Kaspersky on Windows 2000 with ACS 4.2.

In the past, we have seen problems with some anitviruses, such as Norton, for example, block the ACS services.

Unfortunately, the AVs and releases are too different between them to build a specific compatibility matrix.

As said, nothing should prevent ACS 4.2 to work when Kaspersky is installed, as long as Kaspersky does not block specific ports/services.

Kind regards

Fede

--

If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

Why the ACS is blocking my connection to the Console?

I have aaa to my SWs one routers, but wen my server goes down that I can't have access to the console port.

My config is attached and debug aaa authorization.

These are debugs it for each access: Telnet user, consoling Ganymede user Ganymede and testing of Pentecost the local user.

Telnet access

Oct 15 01:03:09: AAA: analyze name = tty2 BID type =-1 ATS = - 1

Oct 15 01:03:09: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr'10.10.10.23 = 'authen_type = ASCII service = CONNECTION priv = 1 initial_task_id = ' 0', vrf = (id = 0)

Oct 15 01:03:10: CDP-4-NATIVE_VLAN_MISMATCH %: incompatibility of VLAN native on GigabitEthernet0/37 (102), was discovered with tst1-s2 GigabitEthernet0/1 (1).

Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ENABLE priv = 15 = ASCII service

Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ASCII = priv = 1 CONNECTION service

Access to consoles (work of Pentecost the ACS user)

Oct 15 01:08:57: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:08:57: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15

Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

Access console (not working whit the local user)

Oct 15 01:05:24: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:05:24: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) = user tweak "LOCAL_USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

Oct 15 01:05:36: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:05:36: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

Oct 15 01:06:09: AAA: analyze name = tty0 BID type =-1 ATS = - 1

Oct 15 01:06:09: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

Oct 15 01:06:09: AAA/MEMORY: create_user (0 x 2773004) = user tweak 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

Oct 15 01:06:41: AAA/MEMORY: free_user (0 x 2773004) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

Thanks for your help.

Change your orders

AAA of default login authentication group Ganymede + activate

the AAA authentication enable default group Ganymede +.

TO

AAA authentication login default group Ganymede + local

the AAA authentication enable default group Ganymede + activate

Kind regards

Prem

Please if it helps!

Join the ACS 5.4 AD strange question

Hello

We have two ACS boxes with the same version of software (5.4.0.46.0a), we have been able to join the domain a that only ACS and other ACS are given the error attached.

When we checked "main-acs-01 / admin # acs troubleshooting adcheck , he gave the same error for the two candidate countries, however an ACS successfully joined the domain and still others we failed."

principal-acs-01 / admin # acs troubleshooting adcheck<>

This command is only for advanced troubleshooting and could suffer a lot of network traffic

Do you want to continue? (yes/no) Yes

OSCHK: Check that it is operating system: pass

PATCH: Patch Linux check: pass

PERL: Check that perl is present and is a good version: pass

SAMBA: Inspection of the installation of Samba: pass

SPACECHK: Check if there is enough space in/var/usr/tmp: pass

HOSTNAME: Check the hostname parameter: pass

NSHOSTS: Check the hosts line in /etc/nsswitch.conf: pass

DNSPROBE: Probe Server DNS 172.24.1.1: pass

DNSPROBE: Probe Server DNS 172.24.1.2: pass

DNSCHECK: Analyze the health of DNS servers database: pass

WHATSSH: Is it a SSH DirectControl works perfectly with: pass

SSH: SSHD version and configuration: Note

: You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

DOMNAME: Check that the domain name is reasonable: pass

ADDC: Search for domain controllers in the DNS: pass

ADDNS: Search DNS DC xxxx.                      : Pass

ADPORT: Scan of Port DC xxxx.                       : Pass

ADDNS: Search DNS DC xxxx.                     : Pass

ADPORT: Scan of Port DC xxxx.                      : Pass

ADDNS: Search DNS DC xxxx.                      : Failed

: Could not resolve the IP address of xxxx.hmc.org.qa.

ADDNS: Search DNS DC xxxx.                      : Pass

ADPORT: Scan of Port DC xxxx.                       : Pass

ADDNS: Search DNS DC xxxx.                   : Pass

ADPORT: Scan of Port DC xxxx.                    : Pass

ADDNS: Search DNS DC xxxx.                     : Pass

ADPORT: Scan of Port DC xxxx.                      : Warning

: One or several ports did not respond correctly. Either:

(: a) the domain controller is offline

(: b) a firewall prevents access to a port

: The following is a list of ports has failed:

: ldap 389/udp - timeout

: 445/tcp smb - denied

: ldap 389/tcp - denied

ADDNS: Search DNS DC xxxx.                        : Pass

ADPORT: Scan of Port DC xxxx.                         : Pass

ADDNS: Search DNS DC xxxx.                        : Pass

ADPORT: Scan of Port DC xxxx.                         : Pass

ADDNS: Search DNS DC xxxx.                           : Pass

ADPORT: Scan of Port DC xxxx.                            : Pass

ADDNS: Search DNS DC xxxx.                    : Pass

ADPORT: Scan of Port DC xxxx.                     : Pass

ADDNS: Search DNS DC xxxx.                      : Pass

GCPORT: Port scan of GC xxxx.                       : Pass

ADDNS: Search DNS DC xxxx.                     : Pass

GCPORT: Port scan of GC xxxx.                      : Pass

ADDNS: Search DNS DC xxxx.                      : Failed

: Could not resolve the IP address of airportdc1. .

ADDNS: Search DNS DC xxxx.                      : Pass

GCPORT: Port scan of GC xxxx.                       : Pass

ADDNS: Search DNS DC xxxx.                   : Pass

GCPORT: Port scan of GC xxxx.                    : Pass

ADDNS: Search DNS DC xxxx.                     : Pass

GCPORT: Port scan of GC xxxx. : WARNING

: One or several ports did not respond correctly. Either:

(: a) the GC is offline now

(: b) a firewall prevents access to a port

: The following is a list of ports has failed:

: gc 3268/tcp - denied

ADDNS: Search DNS DC xxxx.                        : Pass

GCPORT: Port scan of GC xxxx.                         : Pass

ADDNS: Search DNS DC xxxx.                        : Pass

GCPORT: Port scan of GC xxxx.                         : Pass

ADDNS: Search DNS DC xxxx.                           : Pass

GCPORT: Scan of Port GC xxxx : pass

ADDNS: Search DNS DC xxxx.                    : Pass

GCPORT: Port scan of GC xxxx.                     : Pass

ADGC: Check Global catalog servers: spend

DCUP: Search for operational controllers : pass

SITEUP: Check DCs for in our site: go

DNSSYM: Check the symmetry of DNS server: pass

ADSITE: Verify that the subnet of this machine is in a site known as AD: pass

GSITE: See if we think it is the correct site: pass

TIME: Synchronization of clocks Check: pass

2 serious issues have been encountered during the audit. These must be fixed before proceeding

2 warnings were encountered during the audit. We recommend that you check these before proceeding

principal-acs-01 / admin #.

The one facing this problem before and grateful if someone can tell how to solve this problem.

It is a known issue with ACS 5.3 However, we had this problem in ACS 5.3 patch 7 and 5.4 of the ACS

Since you're under 5.4 ACS, it should not trigger.

CSCtx53223    After update 5.3 ACS fail to join the domain AD - lack of license Centrify

Symptom:

After the upgrade from 5.2 to 5.3, ACS is unable to join the domain. AD connection worked for several days, until the services have been restarted. After this, ACS is unable to join AD with the following in ACSADAgent.log error message:

Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin Join to area is permitted only with a licensed copy of DirectControl. Obtain a license or learn more about Centrify following http://www.centrify.com/express

Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin without a permit, you can connect to a domain via Auto Zone by specifying Bordes w Test.Test

Conditions:

Move from 5.2 to 5.3. Restart the services thereafter.

Workaround solution:

Save the ACS db and recreate the picture on the box to 5.3

How upgrade to 5.4 ACS

1.] updated to 5.3 to 5.4 using the upgrade package.

2.] reianged with ACS 5.4 ISO and restored the database ACS 5.3.

I suggest you to prosecute on this TAC. [Most likely you must reimage the server and restore the database if you had crossed with option 1.]

~ BR
Jatin kone

* Does the rate of useful messages *.

iOS 10.0.1 "not allowed to use the restricted network port.

I just upgraded my iPad Mini iOS 10.0.1. He is now running Safari 10. I tried to visit an internal/private IP on port 4190 using HTTP. I get an error that says:

Safari cannot open the page.

The error was: "not allowed to use the restricted network port.

On iOS 9.3 using Safari 9, the same URL opens fine without this error.

Do not know what has changed since iOS to iOS 10.0.1, 9.3 but I'm unable to visit a web site that I have visited before.

I know that WebKit maintains a list of ports that you cannot go (e.g. 6666), 4190 is not a restricted port AFAIK. I don't know why I get this error message.

It seems I was looking at the wrong source code.

I finally got a clue where to look after visiting the page Web Safari Technology Preview 13.

https://trac.WebKit.org/browser/releases/Apple/Safari%20Technology%20Preview%201 3/WebCore/platform/URL.cpp

It seems port got 4190 recently added to the list of blockedPortList

2306	2049, / / NFS
220V	3659, / / apple-sasl / PasswordServer [addition of Apple]
2308	4045, / / lockd
2309	4190, / / ManageSieve [Apple adding]
2310	6000, / / X 11
2311	6665, / / alternate IRC [addition of Apple]
2312	6666, / / alternate IRC [addition of Apple]
2313	6667, / / standard IRC [addition of Apple]
2314	6668, / / alternate IRC [addition of Apple]
2315	6669, / / alternate IRC [addition of Apple]
2316	invalidPortNumber, / / used to block all the invalid port numbers
2317	};
2318	const unsigned short * const blockedPortListEnd = blockedPortList + * _ARRAY_LENGTH (blockedPortList);

Tecra A4 and the docking station Port Replicator III

HI, I would buy a Tecra A4 with the staition of home, but I see that the docking POrt Replicator III has no s-video, bur the pc Yes. Anyone knows if I can use the s-video on the oc when I put the pc on dockin station?

Hello

Sorry, but it is not possible. You can only use the S-video port on the device directly.

Good bye

Need to connect by Satellite U945-S4110 to the VGA-IN of the external monitor port

I need to configure my laptop Toshiba U945-S4110 to be connected to the VGA input of a display screen.
What do I need?

Is this enough for this HDMI to VGA Converter active

http://www.Amazon.com/1080p-female-video-converter-adapter/DP/B008279OJ6/ref=sr_1_4?s=electronics&ie=UTF8&QID=1392112034&SR = 1-4 & keywords = hdmi + in + vga + adapter

then a VGA - VGA cable

> What do I need?

Well, the phone supports only the output HDMI port. This port sends the signal video and audio digital.

In the case where your external monitor supports only RGB (VGA) port, you will need to use some sort of adapter/converter, which would be able to convert the digital signal HDMI to VGA analog signal.

I put t know if the adapter might work, but you will not get sound because VGA does not support audio, only video signal.

Satellite U400 - two of the three USB ports are not working

Hello

I have laptop Satellite U400 who has three USB ports.
One of these 3 ports does not work correctly and the other two ports do not work.
Is there anyone to show me any solution?

Thanks in advance,
Concerning

Any solution? You mean a magical solution? :)

No one knows the configuration of the laptop.
No one knows what OS you are using.
Nobody knows what you did last time with your laptop.
No one knows how long you have this problem.
No one knows what are the USB devices that you use to test USB functionality.
What you have already tried to do about it?

You want to have more questions?
Maybe you should write more than three short sentences as a description of the problem.

Tecra S2: HDD as unknown device on two of the three USB ports

Hey again,
I thought then that I was here anyway I could ask this too.
The tecra S2 has 3 USB ports, they all work very well for my USB mouse and other small things like the wacom tablet...
But when I plug my external hard drive in two of them, it says that it is an unknown device...

I think, but am not sure, that this might have something to do with something once, we had to do in school;
We had once set up a pilot for a small converted Converter a series (or parallel, cant he recall) cable to the usb port
(I have already uninstalled the drivers but nothing has changed)

It's just a guess...

any idea on how to solve this little problem? : p

Hello

You said external USB HDD appears as an unknown device on two of the three USB ports.
What appears if you connect the HARD drive to the USB port on third?
It appears as an unknown device or what?

The device usually appears as an unknown device in device because manager not installed device drivers.
I check the HARD disk for the drivers and try to install it again.

Connection of two screens on the PA3508E-1PRP Port Replicator

Hello

Anyone know if you can connect two screens on the port replicator? and use it with the option "extend my desktop" in Windows?

Thank you

Concerning

It seems that you're talking about the Toshiba Express Port Replikator for Portege M400.
In my view, the Port Replikator Express supports simultaneous use RGB & DVI only if the portable computer system unit itself also supports the simultaneous use of RGB & DVI.

The PA3508E-1PRP Port Replicator supports wide screen resolutions?

Hi all

I think to buy a Tecra M9 - 14 FT 7800 (with the NVIDIA Quadro NVS 130 M - 128 MB graphics card) - will, in combination with the Replicator to ports Express PA3508E-1PRP let me fully to use an external monitor with a resolution widescreen native 1680 x 1050 over DVI?

Thanks in advance,

Ben.

Hello Ben

Unfortunately I can't give you the exact answer, but I'm a bit skeptical about it. As much as I know Port Replicatior has no influence on the signal because the signal from the laptop will just looped through. The question is what resolutions on external screen will be supported by the graphics card for s laptop.

IN the document s user Tecra M9 manuals I found track information: as the operation of the port of all monitors DVI (Digital Video Interface) could not be confirmed, some matte DVI monitors will not work correctly.

In any case, as far as I know as Tecra M9 comes with Intel 965 GM graphics card and we're working on how to get the resolution widescreen 1680 x 1050 on external display.

If you need help with this please write again.

Good bye

How to activate the S-video port on a satellite M30X 154?

Hey does anyone know how to activate the S-video port on your laptop by Satellite SM30X-154?

If I press the FN + 5 keys the only options I get is LCD and no S-VHS option. My TV is set up for this I have Watch DVD through the cable.

When I connect the cable to the laptop, nothing happens!
Help

Hello

Sorry, my A100 Tosh has a Geforce 7600, I don't know what is your GA.

But on mine, I have a NVidia Control Panel, where I can configure dualview,
normally, which allows me to choose between the builtin LCD and the external monitor (VGA Port).

When a TV is plugged and not recognized, I can apply recognition there.
Relative to the opening of the Panel, the TV is also available.

Maybe I could help you.
If this isn't the case, note that the settings of windows your TV is not available.
Try to go to the User Interface of your graphics card...

Matz

The ACS replication ports

Similar Questions

Maybe you are looking for