Database replication errors - between two appliance 113

Unanswered Question
Mar 8th, 2007
User Badges:

I have two Secure ACS appliances - primary and a secondary. The secondary is behind the firewall and so we have the IP addresses nat'ed. I can get to the sec appliance via the natt'ed Ip address, but it the primary server says he does not see it. below is the error message I am getting


Inbound database replication from ACS 'Primary' denied - shared secret mismatch



i did read thru the earlier conversation, but It does not solve the issues I am haivng with the replication.


Pls help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vivek Santuka Thu, 03/08/2007 - 08:10
User Badges:
  • Cisco Employee,

Hi,


Usually "shared secret" mismatch means the primary's self key and the primary's key on secondary server do not match.


I would like to to point out that replication is not supported with NAT.


Regards,

Vivek

wordworship Thu, 03/08/2007 - 08:53
User Badges:

its worked before. the keys do match.

below is the link that the TAC engineer sent to me:



Vivek Santuka Fri, 03/09/2007 - 05:14
User Badges:
  • Cisco Employee,

Hi,


No link in the above post.


Bust if you are using ACS 4 then please check the keys of the NDG and try moving the AAA Server entry to a different NDG.


Regards,

Vivek

wordworship Fri, 03/09/2007 - 10:41
User Badges:


Vivek,


Thanks for yor response.

Oops. Sorry about that. below is the link I was give:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml#configure_db_nat


I am currently running CiscoSecure ACS v3.3 on the Appliance.


Also is the line from the log of a successful replication: Nothing has changed since then.


Inbound database replication from ACS 'notacs01' completed








Vivek Santuka Sat, 03/10/2007 - 05:51
User Badges:
  • Cisco Employee,

Hi,


We need to look at Auth.log for events around the replication.


As I said before, you should try re-entering the secre keys again before looking at logs.


Regards,

Vivek

Actions

This Discussion