Replication Problems v3.3.4

Answered Question
Mar 15th, 2007

I just upgraded to 3.3.4 and I am seeing a problem with the replication. I have two ACS servers and they are authenticating to a CrytoCard Server. So I configured the external DB on both servers to point to it. I have users created and they are pointed to that external DB. Everything works perfect, even the failover if I shut the services on the primary server.


However when I replicate the failover does not work any more. What I see is if I look at a user on the backup server the Password Authentication section for all the users is "Unknown Radius Server". I can select the CryptoCard server and it all works fine again.


Any ideas how I can fix/troubleshoot this?


Any help would be appreciated. TAC is working on it also, but I wanted to see if anyone else has experianced this problem.


BTW this is running on a windows server...

Correct Answer by Vivek Santuka about 9 years 11 months ago

I think we can delete the old database entry because ACS will not reindex the numbers but am not very sure about this one.


Regards,

Vivek

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Vivek Santuka Thu, 03/15/2007 - 07:45

Hi,


I have seen this problem couple of times. This is caused because ACS refers to the database by numbers internally.


So when the primary server replicates to the secondary it sets the user to authenticate to say "Database 2". On the secondary the Crytocard maybe at "Database 1". So everytime there is a replication, the user on the secondary server starts pointing to "Database 2" instead of "Database 1".


One workaround to this is to create another database pointing to the same cryptocard and see if the the new one lands in the right number.


HTH


Regards,

Vivek

mapones Thu, 03/15/2007 - 07:49

Very interesting and it makes sence. Is there a way to see what number each server thinks the DB is?

Vivek Santuka Thu, 03/15/2007 - 07:58

Since we are on 3.x the following registry entry should give us an indication :-


HKLM\SOFTWARE\Cisco\CiscoAAAv3.3\Authenticators\Libraries\30


30 is for the Radius Token Servers. Under 30 you will find entries such as "00","01" etc.. This is the database "number" I was referring to.


If we are using ACS Solution Engine then we need to create a package.cab file from System Configuration->Support. The package.cab file will have ACS.reg


Regards,

Vivek


Vivek Santuka Thu, 03/15/2007 - 08:11

Yup, numbering problem.


On the secondary we need to create a new Radius Token Server Entry while keeping the old one intact.


Configure the new entry exactly like the old one except the name.


That will resolve the problem :)


Regards,

Vivek

mapones Thu, 03/15/2007 - 08:15

Once I create that can I remove the old one so there will be no confusion down the road?

Correct Answer
Vivek Santuka Thu, 03/15/2007 - 08:16

I think we can delete the old database entry because ACS will not reindex the numbers but am not very sure about this one.


Regards,

Vivek

mapones Thu, 03/15/2007 - 08:29

YOU ROCK, that is it. Plus I was able to delete the old entry so and the index number stayed. Everything is working correctly with the replication now.


THANKS A TON.

Actions

This Discussion