Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 4.0 internal database replication problem

I have an ACS 4.0(1) for Windows server with an internal database faling to replicate to a second 4.0(1) server over the WAN.

The two sites are connected by a PIX VPN. The primary is running 7.0(4). The secondary is running 6.3(3). The ACS servers are on the same L3 segment as the PIX internal interfaces. We are not nating (nonat) on the VPN between the two sites.

A sniff of the replication traffic on the primary server shows a TCP session setup on port 2000 as expected. The primary server sends two PSH packets and sees an ACK for each from the secondary. The primary sends out no more packets and five minutes later issues a RST.

A concurrent sniff on the secondary server shows the session setup (3 packets). It does not recieve or reply to the two PSH packets from the primary. The only other packet is sees is the RST five minutes later.

I ran a capture on the inside interfaces of the PIXs and found that the PIX at the primary site recieves the TCP PSH and shows replies. The PIX at the secondary site does not send out the TCP PSH or show replies.

I have heard that earlier versions of ACS may have had problems conducting internal replication over a VPN. I can accept that 4.0 may not be able to do this. What I am trying to find out is:

1. How can I see an ACK from the secondary ACS server to the primary's PSH when the secondary never recieves the PSH? There are no proxy or caching servers in the path.

2. What is it about the TCP PSH packet that it does not make it through the tunnel when the SYN packets do?

I have attached the capture that has been run on each of the PIXs.

1 REPLY
Bronze

Re: ACS 4.0 internal database replication problem

If you make a change in the Access Policy under Administration Control and then replicate the change to another appliance, the changes are not enforced on the receiving appliance.

Workaround: On the receiving (secondary) appliance, do one of the following:

Click Submit on the Access Policy page. , Reboot the secondary appliance.

http://www.cisco.com/en/US/products/sw/secursw/ps5338/prod_release_note09186a00805efcbc.html

229
Views
0
Helpful
1
Replies
CreatePlease to create content