Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS AD communication problem

Hi,

In our network, We have 3 ACS in a cluster. There is integration between ACS and AD. The devices are administered through AD accounts. If one of our ACS server loses connection with AD, the requests are not getting failover to secondary ACS. since the devices are able to reach ACS, the failover is not happening. And we are not able to manage devices in this situation. Please suggest a solution, where, when primary ACS-AD communication fails, all client requests should go to secondary ACS. Thank you.

ACS version: 5.4

Regards,

Madhan kumar G

1 REPLY
New Member

Hi Madhan, First of all try

Hi Madhan,

 

First of all try to do the following basic steps:

 

1.  In AD section, do a test connection and let me know what does it show?

2. See the logs under reports and Monitoring section and see what error message do you see when user fails

3. check the status of the ACS services  on cli by typing the following command:

    #sh app stat acs   

 

attach the output

 

 

After this

 

Please do the following: and attach the adagent-logs!!! for the RCA.

 

 

roubleshooting Steps

Here are the steps in order to turn up the right debugs and to troubleshoot this issue a little further. In my example I will be using SecureCRT, ACS version 5.3 patch 4.

 

  1. Please ssh into the ACS unit that is having the AD related issue (remember each ACS instance is joined to the domain) and log in with your cli credentials, these are differnent then the web credentials. These are the credentials that were set when the initial ACS installation script was executed. The default username is usually admin


     

    1. After logging into the ACS please enter the command "acs-config" and wait 45 seconds.

      1. After you have authenticated you will be prompted to log in again, this time you will have to use your web (superadmin) credentials, usually this is the acsadmin account.
      2. After you have authenticated you will then be able to enter the debug commands, for this example we will be using the following command "debug-adclient enable". You can issue the "show debug-adclient" to see if the debug is enabled.
        1. After setting the debugs you can then reproduce the issue you are experiencing.
        2. After reproducing the issue please download the debug logs from the GUI: Monitoring and Reports > Launch Monitoring and Report Viewer > ACS Support Bundle > Select the Node experiencing this issue. Here is a screenshot of my settings that make it easier to open the logs once they have been downloaded.
          1. Once you have downloaded the support bundle you can extract them and find the ACSADAgent.log file (depending on the amount of traffic) the problem could be in the other log files ACSADAgent.log.1. You can use winrar to extract the file. After extracting, you can find the file under support > logs > debug logs > ACSADAgent.log.

            1. You can keep the debugging enabled and it will not affect the performance of the ACS, the logs are set to roll over once they hit a specific size limit. However once you are finished troubleshooting please issue the "no debug-adclient" in ACS configuration mode.

               

              1. Cross reference the monitoring logs for the timestamp of when the failure occured. You can open the log file using wordpad (notepad++ works very well for large files and parses nicely too). Do a search for the timestamp found in the logs and that should point you in the right direction.

               

              Thanks!

              86
              Views
              0
              Helpful
              1
              Replies
              CreatePlease login to create content