ACS Replica External User Database Issues

Unanswered Question
Jun 17th, 2008
User Badges:

Hi All,

I have a pair of ACS 1113 appliances with replication configured. I'm authenticating against a pair of AD domain controllers with the Remote Authentication Agent installed. The Primary ACS appliance has no problem authenticating against either of the remote agents howver the replica appliance doesn't appear to be able to authenticate against either of them. the Error "External DB is not operational" is always received in the failed log on the replica. the Primary and replica have identical external user database configuration.

Both appliances are running version 4.1(1)23

Any assistance would be greatly appreciated.

many thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jagdeep Gambhir Tue, 06/17/2008 - 05:07
User Badges:
  • Red, 2250 points or more


This message shows up when remote agent is not able to reach external database.

Make sure that remote agent show status "available " when click on remote agent in network configuration.

Ensure remote agent and acs ver be same. If you are using same remote agent for both acs appliance then you need to edit config.ini file of remote agent inorder to add configuration host ip of second acs.

Also check if there is any that remote agent can ping acs (rule out network issue)



Do rate helpful posts

lmslattery Tue, 06/17/2008 - 14:53
User Badges:


Thanks for the reply.

The status of both of my remote agents display as available under network configuration.

The remote agent version matches the version of ACS I'm using. Both of my ACS appliances are running the same version and the primary can authenticate against both remote agents.

I have played with the Config.ini file and changed the configuration provider AP to my replica appliance with no change in result. This configuration item only appears to accept a single value.

The remote agents can ping both ACS appliances , I can see hits in the CSWinAgent log such as the following , but I don't see anything else:

CSWinAgent 06/17/2008 18:32:55 A 0140 7636 0x0 Client connecting from x.x.x.x:3859

CSWinAgent 06/17/2008 18:32:56 A 0600 7288 0x0 Client disconnected, thread 7288 terminating.



Jagdeep Gambhir Wed, 06/18/2008 - 04:58
User Badges:
  • Red, 2250 points or more


Can you please increase the loggin level to full and then get the CSWinAgent logs.

ACS--->Service control--->full--->Restart.

Now recreate the issue and get logs from remote agent.



rokp Mon, 06/30/2008 - 02:14
User Badges:

I'm experiencing the same problem as Leon (except that I have only a single ACS/Remote agent setup). Increasing the log level doesn't change anything, running csagent from console and specifying "-p -z" parameters also doesn't increase the logging level on the remote agent.

Appliance and the remote agent are the same version (, with appliance having only the patch for static IP installed.

CSWinAgent.log shows

CSWinAgent 06/30/2008 11:53:22 A 0136 2660 Client connecting from 10.x.x.x:4495

CSWinAgent 06/30/2008 11:53:23 A 0588 3084 Client disconnected, thread 3084 terminating

ACSRemoteAgent.log shows

ACSRemoteAgent 06/30/2008 11:53:21 A 0178 3200 Client connecting from 10.x.x.x:4494

ACSRemoteAgent 06/30/2008 11:53:22 A 0245 3000 RPC: Info request received

ACSRemoteAgent 06/30/2008 11:53:22 A 0290 3000 RPC: Info reply sent

ACSRemoteAgent 06/30/2008 11:53:22 A 0335 3000 Client disconnected, thread 3000 terminating

ACS RA service domain user has local admin privileges, log on as service and act as part of OS rights, it is installed on member server. Anything else I should try?

lmslattery Mon, 06/30/2008 - 02:40
User Badges:

i have a TAC case open on this at the moment. I'll post with the results once available.

rokp Mon, 06/30/2008 - 03:43
User Badges:

Great! (I was just thinking myself whether I should open the TAC case, but since there is already one opened I don't see any point in doubling their work.)

Just one thing to mention, something does work as I'm able to see all windows groups defined in AD and can do Database Group Mappings...

lmslattery Tue, 07/01/2008 - 19:00
User Badges:

My problem is resolved.

It turns out that I was Running 4.1.1(23) Build 5 on the working appliance , but the secondary didn't have the Build 5 patch installed.

After installing the patch it worked straight away.

rokp Tue, 07/15/2008 - 00:56
User Badges:

It turns out I had the same problem. It would be usefull if command "CSAgent -v" would also indicate the patch level and not only "ACSRemoteAgent version 4.1(1.23)"...



Jagdeep Gambhir Tue, 07/15/2008 - 06:13
User Badges:
  • Red, 2250 points or more


In my first post, that was the very first thing I suggested to you check.

"Ensure remote agent and acs ver be same."

Glad your issue is fixed.




This Discussion