Solved: Replication Problems v3.3.4

mapones · ‎03-15-2007

I just upgraded to 3.3.4 and I am seeing a problem with the replication. I have two ACS servers and they are authenticating to a CrytoCard Server. So I configured the external DB on both servers to point to it. I have users created and they are pointed to that external DB. Everything works perfect, even the failover if I shut the services on the primary server.

However when I replicate the failover does not work any more. What I see is if I look at a user on the backup server the Password Authentication section for all the users is "Unknown Radius Server". I can select the CryptoCard server and it all works fine again.

Any ideas how I can fix/troubleshoot this?

Any help would be appreciated. TAC is working on it also, but I wanted to see if anyone else has experianced this problem.

BTW this is running on a windows server...

Vivek Santuka · ‎03-15-2007

I think we can delete the old database entry because ACS will not reindex the numbers but am not very sure about this one.

Regards,

Vivek

View solution in original post

Vivek Santuka · ‎03-15-2007

Hi,

I have seen this problem couple of times. This is caused because ACS refers to the database by numbers internally.

So when the primary server replicates to the secondary it sets the user to authenticate to say "Database 2". On the secondary the Crytocard maybe at "Database 1". So everytime there is a replication, the user on the secondary server starts pointing to "Database 2" instead of "Database 1".

One workaround to this is to create another database pointing to the same cryptocard and see if the the new one lands in the right number.

HTH

Regards,

Vivek

mapones · ‎03-15-2007

Very interesting and it makes sence. Is there a way to see what number each server thinks the DB is?

Vivek Santuka · ‎03-15-2007

Since we are on 3.x the following registry entry should give us an indication :-

HKLM\SOFTWARE\Cisco\CiscoAAAv3.3\Authenticators\Libraries\30

30 is for the Radius Token Servers. Under 30 you will find entries such as "00","01" etc.. This is the database "number" I was referring to.

If we are using ACS Solution Engine then we need to create a package.cab file from System Configuration->Support. The package.cab file will have ACS.reg

Regards,

Vivek

mapones · ‎03-15-2007

Cool, I have attached a screen shot of both servers registry entries. They are different.

Vivek Santuka · ‎03-15-2007

Yup, numbering problem.

On the secondary we need to create a new Radius Token Server Entry while keeping the old one intact.

Configure the new entry exactly like the old one except the name.

That will resolve the problem :)

Regards,

Vivek

mapones · ‎03-15-2007

Once I create that can I remove the old one so there will be no confusion down the road?

Vivek Santuka · ‎03-15-2007

I think we can delete the old database entry because ACS will not reindex the numbers but am not very sure about this one.

Regards,

Vivek

mapones · ‎03-15-2007

YOU ROCK, that is it. Plus I was able to delete the old entry so and the index number stayed. Everything is working correctly with the replication now.

THANKS A TON.