cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
906
Views
5
Helpful
6
Replies

ACS Replication Issue

john.judge
Level 1
Level 1

Hi,

I recently upgraded to ACS 4.1.4.13.3 and when I try to configure replication I get "Cannot replicate to 'bos2-23-acs-1' - server not responding".

I can ping the IP and hostname listed above. Since we were using IPsec between sites, I also verified that the replication was being sent from the Master over port TCP 2000.

Our setup is as follows. Master in NY, Slave in Boston. The master has a few Replication Components selected that match the slave. Outbound Replication is set as per the schedule on the Master. The Replication Partner is selected from the list on the Master. On the Slave, matching Replication Components are selected. Outbound rep set to manual. The Master is listed as a AAA server (not partner). Inbound Replication is configured to accept replication from the Master with a 15 minute timeout (matches Master).

When I click "Replicate Now" from the Master, I get "Cannot replicate to 'bos2-23-acs-1' - server not responding". I have also tried a reboot and to pull from the slave (no luck).

Any ideas? Thanks!

John

6 Replies 6

somishra
Cisco Employee
Cisco Employee

Hi John,

Few things to check for replication:

- make sure that the software versions on both the ACS servers are exactly the same

- the replication components selected in the primary server to send should be selected as receive in the secondary server

- in the primary server, Under Partners - the secondary server entry should be under the replication column

- in the secondary server, under partners- there should be no entry under the replication column - the primary server entry should be under AAA servers column

- make sure that the shared secret keys are the same for both the ACS server entries in both the primary and the secondary ACS servers.

somishra

Adding more to somishra

1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication

2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.

3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.

4) Ensure that the secondary server has it's replication scheduling set to "manual".

5) Please verify that your servers are all running exactly the same ACS version and build.

6) Check if we have any firewall in between two acs servers. Incase you do , then please have your firewall checked and reconfigured to disable any inspection on port 2000.

Regards,

~JG

Do rate helpful posts

Hi,

I have tried the suggestions listed in the past two posts. I also checked the settings a second and third time. Unfortunately, it's still not working. Any chance I could debug this or enable detailed logging to see why it's failing?

Thanks.

John

I would suggest to sniff secondary acs port and see if it is getting any traffic from primary acs.

This should help in isolating the issue.

Regards,

~JG

I am facing the same issues as the Topic Starter. Have you managed to resolve this issue?

Hi,

Our issue was related to our Firewall. We needed to disable the ALG that was intercepting the ACS traffic. Are you using IPsec VPN's between your ACS boxes?

Rgds,

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: