cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
583
Views
0
Helpful
2
Replies

ACS 3.2(2) Build 5 replication issue

kwillacey
Level 3
Level 3

Hello All,

There are two ACS servers one sits on the inside of an ASA 5510 at the head office and the other sits on the inside of an ASA 5510 at the hot site.

Those ASA 5510s were put in to replace two PIX 515Es and the claim is that since the ASAs went in replication has stopped working. This of course makes no sense to me since there is communication between the ACS servers and the firewall is not dropping anything whenever 'replicate now' is issued.

Unfortunately I dont know much about ACS so is there anything I can look for to help troubelshoot this the ACS logs say

WARNING Cannot replicate to 'server4' - server not responding

Which doesnt help much is there any way to get more detailed log info that could point to an issue? Thanks.

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Hi,,

ACS uses port TCP/2000 for replication. This port is also used by the skinny protocol, making the port used by ACS replication process.

ACS replication from primary to secondary fails, the primary reports that it can't contact the secondary, and the secondary does not show any replication activity from the primary.

A firewall between the two ACS servers is configured to inspect the skinny protocol, which uses the same port (TCP/2000) as the ACS replication process.

If you do not have a call manager behind your firewall, please disable

skinny inspect if it is enabled.

#Under the global policy, take the skinny inspection out of the #class inspection_default,

no inspect skinny

You need to do this on both the side.

HTH

Jk

Plz rate helpful posts-

~Jatin

View solution in original post

2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

Hi,,

ACS uses port TCP/2000 for replication. This port is also used by the skinny protocol, making the port used by ACS replication process.

ACS replication from primary to secondary fails, the primary reports that it can't contact the secondary, and the secondary does not show any replication activity from the primary.

A firewall between the two ACS servers is configured to inspect the skinny protocol, which uses the same port (TCP/2000) as the ACS replication process.

If you do not have a call manager behind your firewall, please disable

skinny inspect if it is enabled.

#Under the global policy, take the skinny inspection out of the #class inspection_default,

no inspect skinny

You need to do this on both the side.

HTH

Jk

Plz rate helpful posts-

~Jatin

Wow that did the trick, thanks alot!!! I am concerned that this was not reflected in the firewall logs. I am assuming it was silently dropping it. Is there any way I can ensure that anything that is dropped is logged?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: