Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.3

Has anyone updated to ACS 5.3 yet? If so, any complications?

Sent from Cisco Technical Support iPad App

47 REPLIES
New Member

ACS 5.3

Hi,

yes, I upgraded from 5.2 to 5.3 and have following problems:

Network connectivity error when trying to access the "vendors" and "network devices" sites in the web gui

System error when trying to edit an internal user...

No change after installing backup.

Did it on two different ACS - same problem.

I will now try a complete reimage...

New Member

ACS 5.3

I'm hoping not to have to reimage the appliance.  Keep us posted on if you find any other issues.

New Member

ACS 5.3

I upgraded.  running the 5.3.0.40 version.  I seem to have an issue specific to MSNPAllowDialin=True string when using AD  I can validate group membership but the directory attributes seem to cause problems.

New Member

Re: ACS 5.3

I remember reading that one of the new features on the release notes had something to do with Dial-In Attribute Support:

Dial-In Attribute Support

The Dial-In Attribute feature enhancement includes:

• Dial-in permissions

You can allow, deny, and control access of dial-in permissions of a user. The permissions are

checked during authentications or queries from Active Directory. It is set on the Active Directory

dedicated dictionary.

• Callback

You can set up callback options. The server calls the caller back during the connection process if

this option is enabled. The phone number that is used by the server, is set either by a the caller or

the network administrator.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.pdf

New Member

ACS 5.3

I upgraded using the upgrade support bundle, from 5.1 to 5.2 to 5.3. No issues upgrading, but the tabs under the Dashboard disappeared when trying to access in both IE8 and Firefox. So brought appliance back to 5.1 factory and used upgrade bundle to go form 5.1 to 5.3. No issues upgrading, Dashboard back and fully functional.

I am seeing strange behavior though from my 7945 Cisco IP Phones. When they authenticated in 5.1 no issues. In 5.3 they authenticate and then a minute later fail with error 5411 EAP session timed out. When I check the phone works fine and appears authenticated on the switch. So the failure might be a bogus message but not sure. has anyone had this issue in 5.3??

dal
New Member

Re: ACS 5.3

Hi.

I upgraded using the bundle.

But now the Process status info tells me this:

View-database:  Does not exist 

View-logprocessor: not monitored 

At the same time, i have this message in the Alarms Inbox:

The View 5.2database has been upgraded to 5.3 and is ready for activation.

So the question is: How do i activate it?

Edit:

After another reload of the server, the view-database has now status of running.

But the view-logprocessor is still not monitored.

What does not monitored mean?

And the Cisco ACS View Dashboard is empty, but I guess thats related?

What now?

Thanks

Cisco Employee

Re: ACS 5.3

Go to following link:

Monitoring and Reports->Launch Monitoring & Report Viewer
then

Monitoring Configuration > System Operations > Data Upgrade Status

Should be an option there to see status of upgrade and activate the database

dal
New Member

Re: ACS 5.3

Hi, and thanks for answering.

I see the Data Upgrade Status, and it says Upgrade completed successfully.

But other than that, the page is completely empty. No buttons, no link, nothing exept that short message.


Cisco Employee

Re: ACS 5.3

There should be an option to "Switch Database". I thought it was on this page.

dal
New Member

Re: ACS 5.3

Well, it's not.

Luckily, our ACS runs on VMWare, so it was easy to revert back to v5.2.

Crap. Cannot have a radius server without a working log service. So it stays v5.2 until maybe some of the ACS programmers can answer this?

Thanks.

Cisco Employee

ACS 5.3

Some updates.

First my mistake and there is no longer a "Switch Database" option after the upgrade

Second there is a patch available for ACS 5.3 (patch 1 - 5-3-0-40-1) that includes a fix for the following issue as taken from the release notes

CSCtu15651    ACS view upgrade failure

  This issue occurred during application upgrade from 5.1 or 5.2 to 5.3. After upgrade view-logprocessor is not started. The customer is advised to install this patch if view data upgrade was failed. The upgrade procedure happens successfully when the service is restarted at time of patch installation.

dal
New Member

ACS 5.3

I got it up and running now.

I reverted back to v5.2. After I did that, I found out the clock wasn't set right.

After i synced it against our NTP server, I tried upgrading again, and this time I had no problems.

I still had to build the Dashboard manually, though.

Maybe this is the problem for some of you others here too?

New Member

Re: ACS 5.3

We are having this same issue after upgrading from 5.1 to 5.2 and I have not been able to get it resolved.  We are using the 1121 physical server appliance so no way to go back.  I just cannot figure out why that 'view log-processor' will not go to Monitored. Without it, we appear to have no visibility to the reports.  We are seeing the following in the contents of the associated log file if anyone can make sense of it.

Oct 18 2011 16:42:36 com.cisco.nm.acs.view.collector.Main.main(Main.java:117) INFO main Acs.MGMT.ACSVIEW Log processor initializing...

Oct 18 2011 16:42:36 com.cisco.nm.acs.view.collector.Main$ShutdownListener.run(Main.java:160) DEBUG ShutdownListener Acs.MGMT.ACSVIEW Listening for shutdown

New Member

ACS 5.3

Hi,

after a upgrade from version 5.2 to 5.3 using Application Upgrade Bundle we face following problems:

#show application status acs

ACS role: PRIMARY

Process 'database' running

Process 'management'  running

Process 'runtime' running

Process 'adclient' running

Process  'view-database' running

Process 'view-jobmanager' running

Process  'view-alertmanager' running

Process 'view-collector' running

Process  'view-logprocessor' Restarting

After a while:

Process 'database' running

Process 'management' running

Process 'runtime'  running

Process 'adclient' running

Process 'view-database'  running

Process 'view-jobmanager' running

Process 'view-alertmanager'  running

Process 'view-collector' running

Process 'view-logprocessor' not  monitored

Any ideas what could be the reason for this behaviour and how to fix it?

After the upgrade we get also this error in the "Cisco Secure ACS View":

"Data Upgrade Failed. Click here to view details"

Internal Error. Please see  below: An unexpected error has occured. If this error continues, please contact  Cisco Technical Assistance Center Error Type ACS Server Exception Error  Summary

java.lang.NullPointerException

Error Cause

Possible  Workaround

An unexpected error has occured. If this error continues, please  contact Cisco Technical Assistance Center View Stack Trace Hide Stack Trace  Server Stack Trace  java.lang.NullPointerException

com.cisco.nm.acs.view.ui.actions.logrecovery.LogRecoveryAction.loadLogRecoveryConfig(LogRecoveryAction.java:66)

sun.reflect.NativeMethodAccessorImpl.invoke0(Native  Method) sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)  sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)  java.lang.reflect.Method.invoke(Unknown  Source)

org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:270)

org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:187)

org.apache.struts.actions.MappingDispatchAction.execute(MappingDispatchAction.java:169)

org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)

org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)

org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)

org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)

javax.servlet.http.HttpServlet.service(HttpServlet.java:617)

javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

com.cisco.nm.acs.view.ui.utils.HttpDataValidationFilter.doFilter(HttpDataValidationFilter.java:41)

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

org.ajaxanywhere.AAFilter.doFilter(AAFilter.java:46)

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

com.cisco.nm.acs.view.ui.utils.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:26)

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)

org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:421)

org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)

org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)

org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)

org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

java.lang.Thread.run(Unknown  Source)

It seems that the applet class is not found in the specified path to run. I remember that cumulative patches for version 5.1 fixed this problem. Are there any patches for version 5.3 available ?

It would be great if you could provide me a solution / workaround

Thanks

New Member

Re: ACS 5.3

Does a software reboot give you the same error as a cold reboot?

Sent from Cisco Technical Support iPhone App

New Member

Re: ACS 5.3

Hi ewood,

we tried both variants of rebooting (soft & cold) but still the same error.

New Member

ACS 5.3

After upgrading from 5.2 to 5.3 we got:

Process ‘view-database’ Restarting

After restarting the ACS appliance all processes have been running.

New Member

ACS 5.3

TAC have managed to replicate this from my ACS backups - and have raised bug CSCtw59271 for me for this issue:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw59271

Random Network Device corruption after upgrade from ACS 5.2 to 5.3.
Symptom:
After application upgrade from ACS 5.2 to 5.3 some Network Devices experience corruption. (Not all NDs are corrupt, only a few).

* Symptom 1: Some Network Devices give the following error on clicking them: ?This System Failure occurred: Has empty AVPAir. Your changes have not been saved. Click ok to return to the list page"
* Symptom 2: Some Network Devices which were working before the upgrade start failing authentication with reason "NDG is not known or has the wrong key". Once the TACACS key is modified/or just edited to be the same key, they start passing authentication.

Conditions:
Upgrade of ACS 5.2 to 5.3.

Workaround:
Modifies the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device


No fix - but the workaround is just what I was doing - for a device not authenticating, make any change to the TACACS key and then put it back - and auth works again. For a corrupt device - just delete and re-add. Annoying - but once you know, it's not a big issue.

Rob...

New Member

ACS 5.3

We upgraded a few weeks ago using the upgrade bundle from 5.2 to 5.3.

The upgrade itself went fairly smoothly - but I had to manually reboot each ACS (primary and secondary) during the upgrade - instead of them rebooting themselves automatically. Had to sit on my hands for an hour to stop me rebooting it in case it really was still doing something - but gave up and rebooted in the end and came back up fine.

Also had some very odd issues with network devices seemingly being 'corrupted' aswell.

I did a fresh install at 5.2 - and used the bulk import to import all our ND's from the CVS file - and I've found (on 5.2 aswell) that some of them look ok - but they don't authenticate (and no messages in the ACS View at all - not even saying eg. wrong tacacs key or IP etc) - until you make some sort of change to the tacacs key - eg. add a '1' onto the end of the string - and then remove it again (back to the same key) - and it suddenly starts working. TAC seem to think this may be 'non unicode characters' issue in the key - but lots of our keys are the same - and I created the CSV file with all devices (eg. copy & paste) - so don' t see how some work and some don't - and I would have thought that the import tool should pick that up anyway?

Since the 5.3 upgrade - I then had some issues with some ND's showing a very odd error when you clicked on them in the network devices list - "This System Failure occurred: Has empty AVPair.. Your changes have not been saved. Click ok to return to the list page" - so you couldn't even view what was in the ND. Each ND needed to be manually deleted - and then re-added - and then worked fine - so I think this is an upgrade ND-corruption issue - but TAC can't replicate or see anything in any backups etc. Not a major issue as we just deleted ND's and re-created - but a bit of a pain.

Anyone else seen any similar issues?

Apart from that - all is good with 5.3. Quite a few little things seem to have been fixed along the way aswell.

New Member

ACS 5.3

robdowson,

I had that same issue with importing from a CVS file. However, it was with 5.2. Very strange indeed.

On a side note, It seems I can no longer authenticate to my child domain. Everything looks fine, including the directory groups and the policies. Pretty annoying.

New Member

ACS 5.3

I had the same issue with the TACACS keys in 5.2.  Nothing shows up in the logs for some devices.  Copy and pasting the key or even resubmitting and it works.

New Member

ACS 5.3

Can anyone shed some light on whether I can restore the backup made on ACS5.1 to the freshly installed ACS5.3 ?

Secondly, can I have ACS administrators/users athenticate using an external Identity Store, i.e. Microsoft AD ?

New Member

ACS 5.3

I've seen the TAC guys say they've restored a 5.2 backup onto a 5.3 - so I guess it must be possible - but haven't done it myself.

I beleive ACS administrators have to be local ACS users - don't think they can be linked to AD. If it is possible - let me know!

There's also the ADE user (admin) - from the ADE CLI - it looks like you can define a TACACs server for that aswell - but I wasn't sure about the sanity of having the login to the ADE relying on ACS - if you're trying to login to ADE to fix ACS - so I didn't try that myself!

Rob...

New Member

ACS 5.3

Ok, let's call them ACS users, not administrators. Our client has a strict requirement to have all user ID integrated with just one Identity source which is Microsoft AD. What's ADE user, Rob ?

New Member

ACS 5.3


Hi All

Upgrading ACS from 5.1 to 5.3, do I need a base image for 5.3 or can I just upgrade from the Cisco download page: ACS_5.3.0.40.tar.gz.

Regards Craig

Cisco Employee

ACS 5.3

You can upgrade from ACS 5.1 directly to ACS 5.3. See

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_upg.html#wp1199421

Note there have been some issues with log collection starting after upgrade to ACS 5.3, as reported earlier in this thread

There is a patch scheduled to be released in about a week that will resolve one of these issues:

CSCtu15651 ACS view upgrade failure

and it may be worth waiting to upgrade until that patch becomes available

New Member

ACS 5.3

What would be the less painfull and more preferred way to have ACS5.3 running with data and configuration from ACS5.1?

Would it be easier to restore the backup done on ACS5.1 to ACS5.3 or I have to have ACS5.1 freshly installed, restored the backup and then upgrade to ACS5.3 ?

Cisco Employee

ACS 5.3

The next release of ACS, 5.4, will have an option for adminstrators to be retrieved from an external store such as active directory

New Member

ACS 5.3

Another thing I ran into while researching on potential methods of upgrade to ACS5.3

But first of all I wanted to see how the restore on ACS5.3 works. To do it I first made a backup to the remote software repository via TFTP and then deleted all configuration for all devices, profiles, policies and users from the server. The next logical step is to try a restore. I followed the above mentioned Cisco's guide and was suprised that it didn't work.

Copying the output from ACS CLI:

acs53/admin# restore acs53-ACS53-111212-1630.tar.gpg repository Backup

Restore requires a reboot to successfully complete. Continue? (yes/no) [yes] ?

find: backup/cars: No such file or directory

% No operating system data found in this backup. Use the 'application option to restore an app-specific backup

Question 1: Why the heck does ACS expects to find any operating system data if it is just the backup of the configuration

Question 2: What is the application option to restore app-specific backup?

These are all application CLI options available:

acs53/admin# application ?

install       Install An Application Bundle

remove        Uninstall An Application

reset-config  Reset application configuration to factory defaults

start         Start an Application

stop          Stop an Application

upgrade       Upgrade An Application Bundle

Question 3: What am I doing wrong ?

28954
Views
10
Helpful
47
Replies