Cisco ACS installation issue

Answered Question
Oct 27th, 2013
User Badges:

Hello everyone.
I am installing Cisco acs 4.2 on windows 2008 64 bit and getting a very strange error while installing. V:ismg_israel_acs it's giving some crypto error.
Can anyone please help me out on it who have encountered the same problem. My project in office is stopped cause of it.
Thanks in advance.


Sent from Cisco Technical Support Android App

Correct Answer by Jatin Katyal about 3 years 9 months ago

Acs replication port can only be changed in version 4.2.1.15....you need to upgrade Acs code before you see that option.


Sent from Cisco Technical Support Android App

Correct Answer by Jatin Katyal about 3 years 9 months ago

Hi Rizwan,


If you're upgrading ACS from some prior version then I think you're getting something like this V:\ismg_israel_acs\Acs\Crypto\init.cpp


You need to locate the old CryptoAPI container used by ACS which may still be on the system.  This is normally located in C:\Documents and Settings\<name of user who installed ACS>\Application\Data\Microsoft\Crypto\RSA.


There will be one or more files there will very long hexdecimal file names. You need to identify the right one.


Open a Command Prompt in that folder and type "findstr /I CiscoSecure *.*" - the filename that appears should be the

old ACS container.


let me know if you will be able to search any file.



~BR
Jatin Katyal

**Do rate helpful posts**

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jatin Katyal Sun, 10/27/2013 - 07:44
User Badges:
  • Cisco Employee,

Are you upgrading acs from any prior version or this is a fresh installation?

Sent from Cisco Technical Support Android App

Rizwan Khan Mon, 06/16/2014 - 14:42
User Badges:

Hi Jatin,

Hope you are doing well. I need your help again in ACS database replication, earlier i was able to do that successfully. Now i want to do replication between 2 other ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. Can you please share any solution if any ?

i am using Release 4.2(0) Build 124 on both servers.

Correct Answer
Jatin Katyal Sun, 10/27/2013 - 12:19
User Badges:
  • Cisco Employee,

Hi Rizwan,


If you're upgrading ACS from some prior version then I think you're getting something like this V:\ismg_israel_acs\Acs\Crypto\init.cpp


You need to locate the old CryptoAPI container used by ACS which may still be on the system.  This is normally located in C:\Documents and Settings\<name of user who installed ACS>\Application\Data\Microsoft\Crypto\RSA.


There will be one or more files there will very long hexdecimal file names. You need to identify the right one.


Open a Command Prompt in that folder and type "findstr /I CiscoSecure *.*" - the filename that appears should be the

old ACS container.


let me know if you will be able to search any file.



~BR
Jatin Katyal

**Do rate helpful posts**

Rizwan Khan Sun, 10/27/2013 - 13:10
User Badges:

Hi Jatin.
Thank you so much for the help. It worked for me. I am able to install acs.
Now I am having another issue. I want to do acs replication. I have been able to do so via GNS 3. But things are not working for our production servers. The servers are at 2 different geographic locations. Both site are connected via VPN terminating on Cisco ASA. I have allowed tcp 2000 which is required for replication for both servers. And checked it via telnet. Which means vpn is ok. I have followed the procudure by giving same key to both servers. Made one primary and other secondary. But when I click on (replicate now) tab. It stopps there. When I see connections in both sites firewall there is an active connection but no data is transmitted. And the connection stays idle.And after sometime the tcp connection gets terminated. Do u have any idea about this issue. Is it something related to self ip change in acs?
Thank you in advance.



Sent from Cisco Technical Support Android App

Jatin Katyal Sun, 10/27/2013 - 13:20
User Badges:
  • Cisco Employee,

If you see loopback ip address (127.0.0.1) as a server ip address then yes it's a known issue. It would not work until you correct the ip address.


If that's a case, please follow the below listed document, I created on the same issue to correct the ip address.

https://supportforums.cisco.com/docs/DOC-36622


After that please go and check on primary and secondary server what do you see under reports and activity > replication logs. Please copy/paste the log entries here.



~BR
Jatin Katyal

**Do rate helpful posts**

Rizwan Khan Sun, 10/27/2013 - 13:44
User Badges:

Jatin.
Thanks for prompt reply. I also saw loopback address when I installed acs. But I was able to change it's IP by simply clicking on it and gave actual ip address of my server and set the key also. I did the same thing on second acs. Is that correct way of doing it ? Secondly just to mention I am not using aaa appliance. It's a windows 2008 64 bit box and other is windows 2008 32 bit. Can OS mismatch create any issue? Another thing I had to turn on compatibility to make acs 4.2 install on my 64 bit box. Otherwise it was not allowing me to install by popping a message " this version is of acs is not correct for this os " it was not the exact message but I have posted the meaning of that message I got.
I am not in office right now else would have pasted the log messages of acs to u. But I am askin as i was able to simulate the whole scenario in gns3 with 2 Cisco ASA connected via VPN and I was able to replicate the data base without doing anything special. Just followed the procedure.

Sent from Cisco Technical Support Android App

Jatin Katyal Sun, 10/27/2013 - 13:56
User Badges:
  • Cisco Employee,

Hi Rizwan,


If you don't see loopback ip addresses any more then that should be fine.


Different windows should not be an issue. You should have same version of ACS code.


Windows OS 64 bit is mot compatible with ACS 4.2.0.124, the support for 64 bit OS was introduced in ACS 4.2.1.15, you need to further upgrade to 4.2.1.15


Since you cannot provide the error message from the ACS servers so I am adding a configuration example. Please make sure you have configured everything the way we have explained in it.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml


~BR
Jatin Katyal

**Do rate helpful posts**

Rizwan Khan Sun, 10/27/2013 - 14:13
User Badges:

Hi Jatin.
Thank you so much for helping me out. I referred to the same document when I did replication successfully on my simulation. One thing the document says is that make sure no other service is running on tcp2000. Whereas in my office some QA team is using TCP 2000 for some servers other than acs server. Can this be B an issue? I am not able to figure out in what context the document is referring to tcp 2000.


Sent from Cisco Technical Support Android App

Jatin Katyal Sun, 10/27/2013 - 14:20
User Badges:
  • Cisco Employee,

The best way to check this is to look inside secondary logs under reports and activities > replication logs, even if you see some errors that means the servers are communicating over TCP 2000 or you can put access-list/captures on the firewall and log it to ensure it's being used between servers.



~BR
Jatin Katyal

**Do rate helpful posts**

Jatin Katyal Sun, 10/27/2013 - 14:28
User Badges:
  • Cisco Employee,

Here are some common issues/misses, I've seen so far;


1.) Please verify that your both server are running exactly the same ACS version and build. You can verify this at the bottom of the screen when you first login using Http or GUI interface. Please provide me the full ACS version.



2.) Next, check to make sure that you are sending and receiving the replication component correctly. On the primary server, the replicationcomponent should be checked for "send" and on the secondary; replication option should be checked for "receive".



3.) The primary server must be configured as an AAA server and must have a key. The secondary server must have the primary server configured as an AAA server and its key for the primary server must match the primary servers own key.



4.) Then I would like you to check in the secondary server's partner list, to make sure that it is blank. You should not enter any servers into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.


5.) Also make sure you're not replicating over nat.


let me know if that helps.





~BR
Jatin Katyal

**Do rate helpful posts**

Rizwan Khan Sun, 10/27/2013 - 14:50
User Badges:

Jatin.
I'll check it out and will post to u tomorrow. U have been a great help brother and I would like to thank you for the help.


Sent from Cisco Technical Support Android App

Jatin Katyal Sun, 10/27/2013 - 14:59
User Badges:
  • Cisco Employee,

NP...Look forward to help you on the same if required.



~BR
Jatin Katyal

**Do rate helpful posts**

Rizwan Khan Sun, 10/27/2013 - 22:28
User Badges:

Hello Jatin.
I have been searching over internet and found that skinny protocol inspection can create issues with acs replication . Now I want to change acs replication port to other than 2000. The documents say goto interface-then advance option and check acs communication port. I am not able to see that option in advance settings. Any idea about it ?


Sent from Cisco Technical Support Android App

Correct Answer
Jatin Katyal Mon, 10/28/2013 - 00:11
User Badges:
  • Cisco Employee,

Acs replication port can only be changed in version 4.2.1.15....you need to upgrade Acs code before you see that option.


Sent from Cisco Technical Support Android App

Rizwan Khan Mon, 10/28/2013 - 06:34
User Badges:

Jatin,

I am able to successfully do acs database replication now. The issue was that my firewalls were inspecting skinny protocol which uses tcp 2000. I disabled the inspection and the replication started working.

Thank you so much for the help you have given. U have been a great help

Jatin Katyal Mon, 10/28/2013 - 06:38
User Badges:
  • Cisco Employee,

That's a great new. Glad CSC could help you to resolve the issue.

Have a great day.



~BR
Jatin Katyal

**Do rate helpful posts**

Actions

This Discussion