Problem with Cisco ACS Replication

Unanswered Question
Feb 24th, 2009
User Badges:

We recently encountered problems with the database replication of our ACS servers -- Server1 and Server2 (separate location).


The last successful replication was last midnight of 02/22/2009 and started to fail at around 18:17 hours of the same date.


However ICMP (ping) is successful between the two devices.


error is: "Cannot replicate to 'server2' - server not responding.


Can you help me with this?

Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ronmarcojr Tue, 02/24/2009 - 01:36
User Badges:

These are the reports from ACS:


DATE:02/22/2009 - TIME:00:00:05 - STATUS:Info - MESSAGE:Outbound replication cycle starting...


DATE:02/22/2009 - TIME:00:00:29 - STATUS:Info - MESSAGE:Replication to ACS 'PCGAU2001' was successful...


DATE:02/22/2009 - TIME:00:00:29 - STATUS:Info - MESSAGE:Outbound replication cycle completed...


DATE:02/22/2009 - TIME:18:17:17 - STATUS:Warning - MESSAGE:Cannot replicate to 'PCGAU2001' - server not responding...


I need a little help in here please. Thanks. =)

Roble Mumin Tue, 02/24/2009 - 13:22
User Badges:
  • Bronze, 100 points or more

If you happen to have an ASA, FWSM or PIX between the ACS Servers make sure that the "skinny inspection" is disabled on those firewalls.


I had similar errors after moving the ACS'es behind my FWSM's and it was indeed the skinny inspection from the firewall which messed up my replication.


Both skinny and the database replication use tcp 2000 and therefore the firewall thinks its seeing voice traffic and corrupts your packets. At least that was the problem in my case.


Following info from a doc focusing on ACS replication.



ACS Error - Cannot replicate to - server not responding - This error message appears in the replication report log when Database replication fails.This error is caused when Skinny Inspection is enabled as both Skinny protocol and Database replication in ACS uses same TCP port 2000. In order to resolve the issue, disable Skinny Inspection.



Source:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml#prs


Hope it helps.


Roble



ronmarcojr Tue, 02/24/2009 - 17:51
User Badges:

Thank you for your suggestion, but we don't have an ASA, only netscreen devices and we're not doing any inspection regarding skinny.. The only thing is before, it's working properly.. We just don't know why we have come up to an ACS Error like this..


Do you have any other way to solve this? Also the possible cause of this error? I'll gladly appreciate your help..


Thanks so much! =)

Actions

This Discussion