ACS 3.2(2) Build 5 replication issue

Answered Question
Nov 5th, 2009
User Badges:
  • Bronze, 100 points or more

Hello All,


There are two ACS servers one sits on the inside of an ASA 5510 at the head office and the other sits on the inside of an ASA 5510 at the hot site.


Those ASA 5510s were put in to replace two PIX 515Es and the claim is that since the ASAs went in replication has stopped working. This of course makes no sense to me since there is communication between the ACS servers and the firewall is not dropping anything whenever 'replicate now' is issued.


Unfortunately I dont know much about ACS so is there anything I can look for to help troubelshoot this the ACS logs say


WARNING Cannot replicate to 'server4' - server not responding


Which doesnt help much is there any way to get more detailed log info that could point to an issue? Thanks.

Correct Answer by Jatin Katyal about 7 years 4 months ago

Hi,,


ACS uses port TCP/2000 for replication. This port is also used by the skinny protocol, making the port used by ACS replication process.


ACS replication from primary to secondary fails, the primary reports that it can't contact the secondary, and the secondary does not show any replication activity from the primary.


A firewall between the two ACS servers is configured to inspect the skinny protocol, which uses the same port (TCP/2000) as the ACS replication process.


If you do not have a call manager behind your firewall, please disable

skinny inspect if it is enabled.


#Under the global policy, take the skinny inspection out of the #class inspection_default,


no inspect skinny


You need to do this on both the side.


HTH


Jk


Plz rate helpful posts-


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jatin Katyal Thu, 11/05/2009 - 12:46
User Badges:
  • Cisco Employee,

Hi,,


ACS uses port TCP/2000 for replication. This port is also used by the skinny protocol, making the port used by ACS replication process.


ACS replication from primary to secondary fails, the primary reports that it can't contact the secondary, and the secondary does not show any replication activity from the primary.


A firewall between the two ACS servers is configured to inspect the skinny protocol, which uses the same port (TCP/2000) as the ACS replication process.


If you do not have a call manager behind your firewall, please disable

skinny inspect if it is enabled.


#Under the global policy, take the skinny inspection out of the #class inspection_default,


no inspect skinny


You need to do this on both the side.


HTH


Jk


Plz rate helpful posts-


kwillacey Thu, 11/05/2009 - 13:35
User Badges:
  • Bronze, 100 points or more

Wow that did the trick, thanks alot!!! I am concerned that this was not reflected in the firewall logs. I am assuming it was silently dropping it. Is there any way I can ensure that anything that is dropped is logged?

Actions

This Discussion