In our network, We have 3 ACS in a cluster. There is integration between ACS and AD. The devices are administered through AD accounts. If one of our ACS server loses connection with AD, the requests are not getting failover to secondary ACS. since the devices are able to reach ACS, the failover is not happening. And we are not able to manage devices in this situation. Please suggest a solution, where, when primary ACS-AD communication fails, all client requests should go to secondary ACS. Thank you.
1. In AD section, do a test connection and let me know what does it show?
2. See the logs under reports and Monitoring section and see what error message do you see when user fails
3. check the status of the ACS services on cli by typing the following command:
#sh app stat acs
attach the output
Please do the following: and attach the adagent-logs!!! for the RCA.
Here are the steps in order to turn up the right debugs and to troubleshoot this issue a little further. In my example I will be using SecureCRT, ACS version 5.3 patch 4.
Please ssh into the ACS unit that is having the AD related issue (remember each ACS instance is joined to the domain) and log in with your cli credentials, these are differnent then the web credentials. These are the credentials that were set when the initial ACS installation script was executed. The default username is usually admin
After logging into the ACS please enter the command "acs-config" and wait 45 seconds.
After you have authenticated you will be prompted to log in again, this time you will have to use your web (superadmin) credentials, usually this is the acsadmin account.
After you have authenticated you will then be able to enter the debug commands, for this example we will be using the following command "debug-adclient enable". You can issue the "show debug-adclient" to see if the debug is enabled.
After setting the debugs you can then reproduce the issue you are experiencing.
After reproducing the issue please download the debug logs from the GUI: Monitoring and Reports > Launch Monitoring and Report Viewer > ACS Support Bundle > Select the Node experiencing this issue. Here is a screenshot of my settings that make it easier to open the logs once they have been downloaded.
Once you have downloaded the support bundle you can extract them and find the ACSADAgent.log file (depending on the amount of traffic) the problem could be in the other log files ACSADAgent.log.1. You can use winrar to extract the file. After extracting, you can find the file under support > logs > debug logs > ACSADAgent.log.
You can keep the debugging enabled and it will not affect the performance of the ACS, the logs are set to roll over once they hit a specific size limit. However once you are finished troubleshooting please issue the "no debug-adclient" in ACS configuration mode.
Cross reference the monitoring logs for the timestamp of when the failure occured. You can open the log file using wordpad (notepad++ works very well for large files and parses nicely too). Do a search for the timestamp found in the logs and that should point you in the right direction.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :