ACS replication issue on VMware ESX 3.5

Unanswered Question
Oct 30th, 2009
User Badges:

I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Fri, 10/30/2009 - 04:47
User Badges:
  • Cisco Employee,


I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.

The primary server must be configured as an AAA server and must have a key.

The secondary server must have the primary server configured as an AAA

server and its key for the primary server must match the primary servers own

key. The shared secret key should be same on the both the ACS's.

I am sending you one link for Setting Up Replication for Cisco Secure ACS, I

am sure this example with screen shots gives you better understanding.

Please visit the below suggested ULR:


If that doesn't resolve the issue, please let me know if you see any server with this ip address



-Plz rate helpful posts-

stuart.nadin Fri, 10/30/2009 - 04:54
User Badges:

Thanks for the post, but I'm afraid that is not the issue. The keys and the replication setup are correct.

Jatin Katyal Fri, 10/30/2009 - 05:05
User Badges:
  • Cisco Employee,


Well, thats great if you've configured it correctly. However, sometimes when we copy and paste the key it copies the HTML character and that could be an issue.

So just to be on the safer side, I want you to manually type the key again for both the servers. Also, make sure that there is no self entry with in the AAA server section.



-Plz rate helpful posts-

stuart.nadin Fri, 10/30/2009 - 05:10
User Badges:

Yes, I've just tried manually entering the key. Same result. There's no entry for in the AAA server section. Thanks.

nic.boran Mon, 11/02/2009 - 12:48
User Badges:


can you please post your solution. I have lost about 1 week with a very similar problem. I have acs 4.2 installed on VMware. When I add devices with the necessary name, IP address and shared secret and then proceed to save, submit, I get an error message "shared secret must not be blank". I have created new virtual machines, added patches, completed reinstalled, but the same's driving me crazy. It is a very simply task.



stuart.nadin Wed, 11/04/2009 - 01:25
User Badges:

Hello Nick. Sorry for the slow reply I've been out of the office. I followed these instructions:

The instructions tell you to create an entry on server1 for server2 and vice versa. It didn't work when I did this.

The solution was as follows. In the AAA server table on my server1, there is a default entry for server1 itself with a key of "secret_value". Change this to a key of your choice. On server2 I then added an entry for server1 using the same key.

This solved the problem and is somewhat different to the instructions on CCO.




This Discussion