ACS 5.3

Unanswered Question
Oct 9th, 2011

Has anyone updated to ACS 5.3 yet? If so, any complications?

Sent from Cisco Technical Support iPad App

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3.3 (3 ratings)
ida.wendt-Larse... Mon, 10/10/2011 - 04:27


yes, I upgraded from 5.2 to 5.3 and have following problems:

Network connectivity error when trying to access the "vendors" and "network devices" sites in the web gui

System error when trying to edit an internal user...

No change after installing backup.

Did it on two different ACS - same problem.

I will now try a complete reimage...

ewood2624 Mon, 10/10/2011 - 08:06

I'm hoping not to have to reimage the appliance.  Keep us posted on if you find any other issues.

jacksoncm0204 Mon, 10/10/2011 - 15:23

I upgraded.  running the version.  I seem to have an issue specific to MSNPAllowDialin=True string when using AD  I can validate group membership but the directory attributes seem to cause problems.

ewood2624 Tue, 10/11/2011 - 08:52

I remember reading that one of the new features on the release notes had something to do with Dial-In Attribute Support:

Dial-In Attribute Support

The Dial-In Attribute feature enhancement includes:

• Dial-in permissions

You can allow, deny, and control access of dial-in permissions of a user. The permissions are

checked during authentications or queries from Active Directory. It is set on the Active Directory

dedicated dictionary.

• Callback

You can set up callback options. The server calls the caller back during the connection process if

this option is enabled. The phone number that is used by the server, is set either by a the caller or

the network administrator.

C8602260424 Mon, 10/17/2011 - 08:26

I upgraded using the upgrade support bundle, from 5.1 to 5.2 to 5.3. No issues upgrading, but the tabs under the Dashboard disappeared when trying to access in both IE8 and Firefox. So brought appliance back to 5.1 factory and used upgrade bundle to go form 5.1 to 5.3. No issues upgrading, Dashboard back and fully functional.

I am seeing strange behavior though from my 7945 Cisco IP Phones. When they authenticated in 5.1 no issues. In 5.3 they authenticate and then a minute later fail with error 5411 EAP session timed out. When I check the phone works fine and appears authenticated on the switch. So the failure might be a bogus message but not sure. has anyone had this issue in 5.3??

dal@alesund.kom... Fri, 10/21/2011 - 03:26


I upgraded using the bundle.

But now the Process status info tells me this:

View-database:  Does not exist 

View-logprocessor: not monitored 

At the same time, i have this message in the Alarms Inbox:

The View 5.2database has been upgraded to 5.3 and is ready for activation.

So the question is: How do i activate it?


After another reload of the server, the view-database has now status of running.

But the view-logprocessor is still not monitored.

What does not monitored mean?

And the Cisco ACS View Dashboard is empty, but I guess thats related?

What now?


jrabinow Fri, 10/21/2011 - 06:12

Go to following link:

Monitoring and Reports->Launch Monitoring & Report Viewer

Monitoring Configuration > System Operations > Data Upgrade Status

Should be an option there to see status of upgrade and activate the database

dal@alesund.kom... Fri, 10/21/2011 - 07:02

Hi, and thanks for answering.

I see the Data Upgrade Status, and it says Upgrade completed successfully.

But other than that, the page is completely empty. No buttons, no link, nothing exept that short message.

jrabinow Fri, 10/21/2011 - 07:16

There should be an option to "Switch Database". I thought it was on this page.

dal@alesund.kom... Fri, 10/21/2011 - 11:18

Well, it's not.

Luckily, our ACS runs on VMWare, so it was easy to revert back to v5.2.

Crap. Cannot have a radius server without a working log service. So it stays v5.2 until maybe some of the ACS programmers can answer this?


jrabinow Sun, 12/25/2011 - 12:09

Some updates.

First my mistake and there is no longer a "Switch Database" option after the upgrade

Second there is a patch available for ACS 5.3 (patch 1 - 5-3-0-40-1) that includes a fix for the following issue as taken from the release notes

CSCtu15651    ACS view upgrade failure

  This issue occurred during application upgrade from 5.1 or 5.2 to 5.3. After upgrade view-logprocessor is not started. The customer is advised to install this patch if view data upgrade was failed. The upgrade procedure happens successfully when the service is restarted at time of patch installation.

dal@alesund.kom... Fri, 10/28/2011 - 08:13

I got it up and running now.

I reverted back to v5.2. After I did that, I found out the clock wasn't set right.

After i synced it against our NTP server, I tried upgrading again, and this time I had no problems.

I still had to build the Dashboard manually, though.

Maybe this is the problem for some of you others here too?

JUSTIN LOUCKS Fri, 10/28/2011 - 07:47

We are having this same issue after upgrading from 5.1 to 5.2 and I have not been able to get it resolved.  We are using the 1121 physical server appliance so no way to go back.  I just cannot figure out why that 'view log-processor' will not go to Monitored. Without it, we appear to have no visibility to the reports.  We are seeing the following in the contents of the associated log file if anyone can make sense of it.

Oct 18 2011 16:42:36 INFO main Acs.MGMT.ACSVIEW Log processor initializing...

Oct 18 2011 16:42:36$ DEBUG ShutdownListener Acs.MGMT.ACSVIEW Listening for shutdown

ayhan.guec Wed, 10/26/2011 - 01:36


after a upgrade from version 5.2 to 5.3 using Application Upgrade Bundle we face following problems:

#show application status acs


Process 'database' running

Process 'management'  running

Process 'runtime' running

Process 'adclient' running

Process  'view-database' running

Process 'view-jobmanager' running

Process  'view-alertmanager' running

Process 'view-collector' running

Process  'view-logprocessor' Restarting

After a while:

Process 'database' running

Process 'management' running

Process 'runtime'  running

Process 'adclient' running

Process 'view-database'  running

Process 'view-jobmanager' running

Process 'view-alertmanager'  running

Process 'view-collector' running

Process 'view-logprocessor' not  monitored

Any ideas what could be the reason for this behaviour and how to fix it?

After the upgrade we get also this error in the "Cisco Secure ACS View":

"Data Upgrade Failed. Click here to view details"

Internal Error. Please see  below: An unexpected error has occured. If this error continues, please contact  Cisco Technical Assistance Center Error Type ACS Server Exception Error  Summary


Error Cause

Possible  Workaround

An unexpected error has occured. If this error continues, please  contact Cisco Technical Assistance Center View Stack Trace Hide Stack Trace  Server Stack Trace  java.lang.NullPointerException

sun.reflect.NativeMethodAccessorImpl.invoke0(Native  Method) sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)  sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)  java.lang.reflect.Method.invoke(Unknown  Source)




























org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process($  Source)

It seems that the applet class is not found in the specified path to run. I remember that cumulative patches for version 5.1 fixed this problem. Are there any patches for version 5.3 available ?

It would be great if you could provide me a solution / workaround


ewood2624 Wed, 10/26/2011 - 04:47

Does a software reboot give you the same error as a cold reboot?

Sent from Cisco Technical Support iPhone App

ayhan.guec Wed, 10/26/2011 - 05:25

Hi ewood,

we tried both variants of rebooting (soft & cold) but still the same error.

vciric Mon, 10/31/2011 - 04:46

After upgrading from 5.2 to 5.3 we got:

Process ‘view-database’ Restarting

After restarting the ACS appliance all processes have been running.

robdowson Mon, 12/05/2011 - 04:05

TAC have managed to replicate this from my ACS backups - and have raised bug CSCtw59271 for me for this issue:

Random Network Device corruption after upgrade from ACS 5.2 to 5.3.
After application upgrade from ACS 5.2 to 5.3 some Network Devices experience corruption. (Not all NDs are corrupt, only a few).

* Symptom 1: Some Network Devices give the following error on clicking them: ?This System Failure occurred: Has empty AVPAir. Your changes have not been saved. Click ok to return to the list page"
* Symptom 2: Some Network Devices which were working before the upgrade start failing authentication with reason "NDG is not known or has the wrong key". Once the TACACS key is modified/or just edited to be the same key, they start passing authentication.

Upgrade of ACS 5.2 to 5.3.

Modifies the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device

No fix - but the workaround is just what I was doing - for a device not authenticating, make any change to the TACACS key and then put it back - and auth works again. For a corrupt device - just delete and re-add. Annoying - but once you know, it's not a big issue.


robdowson Mon, 11/14/2011 - 04:02

We upgraded a few weeks ago using the upgrade bundle from 5.2 to 5.3.

The upgrade itself went fairly smoothly - but I had to manually reboot each ACS (primary and secondary) during the upgrade - instead of them rebooting themselves automatically. Had to sit on my hands for an hour to stop me rebooting it in case it really was still doing something - but gave up and rebooted in the end and came back up fine.

Also had some very odd issues with network devices seemingly being 'corrupted' aswell.

I did a fresh install at 5.2 - and used the bulk import to import all our ND's from the CVS file - and I've found (on 5.2 aswell) that some of them look ok - but they don't authenticate (and no messages in the ACS View at all - not even saying eg. wrong tacacs key or IP etc) - until you make some sort of change to the tacacs key - eg. add a '1' onto the end of the string - and then remove it again (back to the same key) - and it suddenly starts working. TAC seem to think this may be 'non unicode characters' issue in the key - but lots of our keys are the same - and I created the CSV file with all devices (eg. copy & paste) - so don' t see how some work and some don't - and I would have thought that the import tool should pick that up anyway?

Since the 5.3 upgrade - I then had some issues with some ND's showing a very odd error when you clicked on them in the network devices list - "This System Failure occurred: Has empty AVPair.. Your changes have not been saved. Click ok to return to the list page" - so you couldn't even view what was in the ND. Each ND needed to be manually deleted - and then re-added - and then worked fine - so I think this is an upgrade ND-corruption issue - but TAC can't replicate or see anything in any backups etc. Not a major issue as we just deleted ND's and re-created - but a bit of a pain.

Anyone else seen any similar issues?

Apart from that - all is good with 5.3. Quite a few little things seem to have been fixed along the way aswell.

brock0150 Tue, 11/15/2011 - 07:09


I had that same issue with importing from a CVS file. However, it was with 5.2. Very strange indeed.

On a side note, It seems I can no longer authenticate to my child domain. Everything looks fine, including the directory groups and the policies. Pretty annoying.

BuddeMcBudde Thu, 12/01/2011 - 13:49

I had the same issue with the TACACS keys in 5.2.  Nothing shows up in the logs for some devices.  Copy and pasting the key or even resubmitting and it works.

zheka_pefti Tue, 12/06/2011 - 22:57

Can anyone shed some light on whether I can restore the backup made on ACS5.1 to the freshly installed ACS5.3 ?

Secondly, can I have ACS administrators/users athenticate using an external Identity Store, i.e. Microsoft AD ?

robdowson Fri, 12/09/2011 - 08:51

I've seen the TAC guys say they've restored a 5.2 backup onto a 5.3 - so I guess it must be possible - but haven't done it myself.

I beleive ACS administrators have to be local ACS users - don't think they can be linked to AD. If it is possible - let me know!

There's also the ADE user (admin) - from the ADE CLI - it looks like you can define a TACACs server for that aswell - but I wasn't sure about the sanity of having the login to the ADE relying on ACS - if you're trying to login to ADE to fix ACS - so I didn't try that myself!


zheka_pefti Fri, 12/09/2011 - 14:08

Ok, let's call them ACS users, not administrators. Our client has a strict requirement to have all user ID integrated with just one Identity source which is Microsoft AD. What's ADE user, Rob ?

craig.bache Fri, 12/09/2011 - 15:18

Hi All

Upgrading ACS from 5.1 to 5.3, do I need a base image for 5.3 or can I just upgrade from the Cisco download page: ACS_5.3.0.40.tar.gz.

Regards Craig

jrabinow Sun, 12/11/2011 - 13:23

You can upgrade from ACS 5.1 directly to ACS 5.3. See

Note there have been some issues with log collection starting after upgrade to ACS 5.3, as reported earlier in this thread

There is a patch scheduled to be released in about a week that will resolve one of these issues:

CSCtu15651 ACS view upgrade failure

and it may be worth waiting to upgrade until that patch becomes available

zheka_pefti Mon, 12/12/2011 - 15:07

What would be the less painfull and more preferred way to have ACS5.3 running with data and configuration from ACS5.1?

Would it be easier to restore the backup done on ACS5.1 to ACS5.3 or I have to have ACS5.1 freshly installed, restored the backup and then upgrade to ACS5.3 ?

jrabinow Sun, 12/11/2011 - 13:15

The next release of ACS, 5.4, will have an option for adminstrators to be retrieved from an external store such as active directory

zheka_pefti Mon, 12/12/2011 - 16:47

Another thing I ran into while researching on potential methods of upgrade to ACS5.3

But first of all I wanted to see how the restore on ACS5.3 works. To do it I first made a backup to the remote software repository via TFTP and then deleted all configuration for all devices, profiles, policies and users from the server. The next logical step is to try a restore. I followed the above mentioned Cisco's guide and was suprised that it didn't work.

Copying the output from ACS CLI:

acs53/admin# restore acs53-ACS53-111212-1630.tar.gpg repository Backup

Restore requires a reboot to successfully complete. Continue? (yes/no) [yes] ?

find: backup/cars: No such file or directory

% No operating system data found in this backup. Use the 'application option to restore an app-specific backup

Question 1: Why the heck does ACS expects to find any operating system data if it is just the backup of the configuration

Question 2: What is the application option to restore app-specific backup?

These are all application CLI options available:

acs53/admin# application ?

install       Install An Application Bundle

remove        Uninstall An Application

reset-config  Reset application configuration to factory defaults

start         Start an Application

stop          Stop an Application

upgrade       Upgrade An Application Bundle

Question 3: What am I doing wrong ?

jrabinow Mon, 12/12/2011 - 23:23

There have been issues seen with using tftp for large file sizes; like a backup and restore. It is recommended to use ftp

There are two flavors of backup commands:

  • backup repository

On primary will backup OS config + ACS db. On secondary will backup OS config only

  • acs backup repository

On primary will backup ACS db. Nothing to backup on secondary.

Similarly restore. The restore you are looking will therefore look for operating system data which may not be there due to tftp issues

zheka_pefti Tue, 12/13/2011 - 00:01

Ok, lesson learned, never use TFTP. But why the heck it is available as the protocol option? Who wants to invite problems anyway ? Quick question though. What's the difference between OS config and ACS db. I mean what would I need to back from the OS if it is hardened Red Hat Linux and we only work with ACS application.

jrabinow Tue, 12/13/2011 - 00:31

By ACS db I am referring to the configuration information for ACS performed from within the ACS application

It is possible to make changes to the OS config from the CLI and this is what gets backed up when OS config is backed up. It is less relevant if use the ACS GUI only

There are issues historically with tftp. The original protocol has a file size limit of 32 MB. Thjs was later extended to 4 GB. So need to also make sure that tftp servers supports larger files. I will try and ascertain status of tftp support

zheka_pefti Tue, 12/13/2011 - 00:38

Aha... My backup file is only 6 MB of size. Then I wouldn't expect any size limitation for TFTP. The actual error message was about not being able to find operating system data in the backup and I did the backup using the first option via CLI (see your listing of two flavours). Does it mean there's still an underlying problem with TFTP or I'm missing something?

robdowson Tue, 12/13/2011 - 04:17


>What's ADE user, Rob ?

ADE is Application Deployment Engine - which is the OS that the ACS 'application' runs on. ie. cisco have developed their flavour of linux into a hardened OS - that they then run ACS and other applications on.

When you connect to the CLI - that's ADE - so thats your 'admin' user. When you connect to the web-interface and login with 'acsadmin' - thats ACS.

So you've got:

- ADE users - eg. admin - local to the box (although there's options to refer to a TACACS server as I mentioned (but haven't tried)

- ACS Administrators - eg. acsadmin - local to ACS - but in ACS 5.4 - may be able to refer to external user directories

- ACS users - ie. users you create in ACS (we don't have any as we're using our Active Directory for all user-auths)

Same ACS/ADE split with the backups:

- ACS backup just backs up the ACS configuration. Can do scheduled backups from the GUI. Comes from the primary only

- 'backup' backs up ACS + ADE (console/ssh - and 'show run') - but only manual from CLI. If you run from the secondary - only includes ADE config


praetoleiad Wed, 01/18/2012 - 05:55

freshly succesfully installed an ACS on a VMWare. i am having problem in accesing the web gui. a console PC residing on the same network with the ACS can ping but cannot browse throught the ACS' Web GUI. please help. do i miss out some needed configuration to have it accesible. thanks!!!

jrabinow Wed, 01/18/2012 - 06:08

Couple quick first suggestions

login as "admin" into CLI on box and check that all services are running with the following command

show application status acs


Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

Check that all processes are running; especially management

If not issue the following commands to restart the processes and then check again

applicaiton stop acs

application start acs

praetoleiad Wed, 01/18/2012 - 16:35


i have checked the status of the ACS but the ADE can't display any application. Output is "error finding status information for the application:acs". I am trying to start and stop the ACS via the ADE but it can't start the application. "application failed to start".

George Stefanick Sun, 04/29/2012 - 09:56


Did you ever get your issue resolved ?

praetoleiad wrote:


i have checked the status of the ACS but the ADE can't display any application. Output is "error finding status information for the application:acs". I am trying to start and stop the ACS via the ADE but it can't start the application. "application failed to start".

phardy Tue, 04/10/2012 - 08:48

Hi ,

using version 5.3 upgrade 5-3-0-40-2.

not able to add more than 10 tacacs attributes when trying to configure Shell profile for my WCS wireless controller. it kiks me out. i then decide to use WCS on local mode. any help will be hightly appreciated.

jrabinow Tue, 04/10/2012 - 08:52

Yes. There is an issue on patch 2 as follows:

CSCtx18638     Cannot add custom shell attribute with keyword alert          

This is resolved to be resolved in patch 3 which is due to be released early next week.

Issue was introduced on patch 1 of ACS 5.3 so to work around that will need to remove all 5.3 patches

jrabinow Mon, 04/16/2012 - 09:40

Patch 3 for ACS 5.3  has now been posted on CCO and includes a fix for

CSCtx18638     Cannot add custom shell attribute with keyword alert 

larsen_2011 Mon, 04/16/2012 - 09:55


I have already downloaded the patch, but I cannot see the release notes  - I would like to check what else has been fixed.

Does it get posted later ???


jrabinow Mon, 04/16/2012 - 10:04

I think it is just taking time to make its way through the system

I am posting the list of CDETS below. Note there are a significant number of fixes related to interaction with active directory

- CSCtx11180    ACS sometimes fails to fetch group info for users in trusted domain

- CSCtw71563   ACS gets disconnected from AD if received duplicate A records for DC

- CSCtu15832    ACS 5.2 will not recover from an RPC failure with a domain controller                             

- CSCtx71254    ACS 5.3 disconnecting from AD "unlatch" is seen in adclient logs

- CSCty19628    Unassign Mschapv2 group retrieval failure  Duplicate of CSCtx11180

- CSCty60915    ACS 5.3 pre-authentication failures with AD for some users  

- CSCtw59129   ACS5 tries to contact domains not in trusted list based on username 

- CSCty11627    ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets.                     

- CSCtx90637    ACS MSCHAPV2 is not hashing the mschap success correctly             

- CSCtx18638    Cannot add custom shell attribute with keyword alert

- CSCtx83260    NDG locations not showing up on GUI

- CSCts14694    Accounting requests seen as authentication requests

- CSCty60512    User auth fail when having Authorization rule with built-in group

- CSCtz03041    AD Agent cores management                                       

- CSCty88457    ACS support bundle does not include adclient core files            

- CSCtz03084    /opt and /var full-Large ADAgent file containing file descriptor errors      

- CSCtz03036    AD Agent cache should be flushed when core is generated                                

- CSCtz03943    ACS exposes the AD account username and password

Carlos_Tonao Tue, 04/17/2012 - 07:13

Hello, I have the following situation, when testing compatibility with Juniper Devices:

At first we used the Custom Attributes Juniper as Optional, but when trying to log into the switch ocurred a permission error.

By modifying the Custom Attribute to mandatory, we had success in testing juniper switch.

Nonetheless, we had problems using mandatory attributes with C6500. The workaround was to change it to optional.

The first solution that we think is a rule only for Devices that use the IOS and other rule to other vendors that requires mandatory attributes.

But in order to minimize the number of rules we would like to try another solution if one exists. If you know a way to make the Juniper Devices work with optional attributes would be helpful. Thus our groups who have full access does not need more than one rule.

Follows printscreen with the configuration with custom attributes configured in the shell profile used in the tests.

d1pol01978 Wed, 07/25/2012 - 03:24


We've exactly the same problem with using a common shell profile for cisco devices and juniper devices.

So far, we've created a seperate rule and profiles for cisco and juniper devices.

I've got information that ACS will send optional attribute once asked for it.

I'm not sure if juniper (in our example switch) requests for this attribute or not.

Have you managed to solve this issue ?

Any more ideas ?

Carlos_Tonao Wed, 07/25/2012 - 05:58

Good morning D1pol01978.

The recommendation of Cisco's.

Mantenha as regras separadas


Login or Register to take actions

This Discussion

Posted October 9, 2011 at 7:40 PM
Replies:47 Avg. Rating:3.33333
Views:25169 Votes:0
Tags: No tags.

Discussions Leaderboard