11-05-2009 12:23 PM - edited 03-10-2019 04:46 PM
Hello All,
There are two ACS servers one sits on the inside of an ASA 5510 at the head office and the other sits on the inside of an ASA 5510 at the hot site.
Those ASA 5510s were put in to replace two PIX 515Es and the claim is that since the ASAs went in replication has stopped working. This of course makes no sense to me since there is communication between the ACS servers and the firewall is not dropping anything whenever 'replicate now' is issued.
Unfortunately I dont know much about ACS so is there anything I can look for to help troubelshoot this the ACS logs say
WARNING Cannot replicate to 'server4' - server not responding
Which doesnt help much is there any way to get more detailed log info that could point to an issue? Thanks.
Solved! Go to Solution.
11-05-2009 12:46 PM
Hi,,
ACS uses port TCP/2000 for replication. This port is also used by the skinny protocol, making the port used by ACS replication process.
ACS replication from primary to secondary fails, the primary reports that it can't contact the secondary, and the secondary does not show any replication activity from the primary.
A firewall between the two ACS servers is configured to inspect the skinny protocol, which uses the same port (TCP/2000) as the ACS replication process.
If you do not have a call manager behind your firewall, please disable
skinny inspect if it is enabled.
#Under the global policy, take the skinny inspection out of the #class inspection_default,
no inspect skinny
You need to do this on both the side.
HTH
Jk
Plz rate helpful posts-
11-05-2009 12:46 PM
Hi,,
ACS uses port TCP/2000 for replication. This port is also used by the skinny protocol, making the port used by ACS replication process.
ACS replication from primary to secondary fails, the primary reports that it can't contact the secondary, and the secondary does not show any replication activity from the primary.
A firewall between the two ACS servers is configured to inspect the skinny protocol, which uses the same port (TCP/2000) as the ACS replication process.
If you do not have a call manager behind your firewall, please disable
skinny inspect if it is enabled.
#Under the global policy, take the skinny inspection out of the #class inspection_default,
no inspect skinny
You need to do this on both the side.
HTH
Jk
Plz rate helpful posts-
11-05-2009 01:35 PM
Wow that did the trick, thanks alot!!! I am concerned that this was not reflected in the firewall logs. I am assuming it was silently dropping it. Is there any way I can ensure that anything that is dropped is logged?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: