Re: ACS Replication Issue

bretcollins · ‎01-11-2007

Yesterday we had two ACS 4.0 servers installed on Windows 2000 Domain Controllers that were working great. ACS1 was the primary server and replication was configured to send to ACS2. ACS2 replication was configured to receive from ACS1.

We lost ACS2 yesterday so I installed ACS 4 on a 2003 Domain Controller (ACS3). I installed ACS3, went into network configuration and added ACS1 as an AAA server.

I then logged onto ACS1 and added ACS3 as an AAA server and configured ACS3 as a replication partner.

It is not replicating - if I look at the log I get

ERROR, ACS 'ACS3' has denied replication request

I do not have the primary as a replication on the secondary.

I have some screen shots of the configuration from ACS2 and I've duplicated everything I've could (except for name and IP).

Any ideas on what I can try next?

Vivek Santuka · ‎01-11-2007

Did you configure ACS3 to receive replication ? And the same components as the ACS1 is set to send ?

bretcollins · ‎01-11-2007

I configured ACS3 to receive replication - everything that ACS1 is configured to send, ACS3 is configured to receive.

Vivek Santuka · ‎01-12-2007

On ACS3's replication page is ACS1 set on the box which says "Replication" under partners ? If it is then please remove it and try.

Also make sure that the ACS1's key in ACS3 is correctly set in Network Configuration.

bretcollins · ‎01-13-2007

ACS3 does not have any replication partners set.

The key for ACS1 matches the configuration on ACS3. Thanks.

Vivek Santuka · ‎01-15-2007

What do ACS3's replication logs say ?

bretcollins · ‎01-15-2007

The logs from acs3 report

Inbound database replication from ACS 'acs1' denied - shared secret mismatch

I reset the key on ACS and ACS3 and it still gave me the same error.

Vivek Santuka · ‎01-16-2007

The keys which matter are :-

1. The key on the self entry of ACS1

2. The key on the ACS1's entry on ACS3.

bretcollins · ‎01-16-2007

They are both the same very easy password.

Vivek Santuka · ‎01-16-2007

Thats wierd.

All alphabets no special characters ?

Vivek Santuka · ‎01-16-2007

You can try using no secret keys at all

nstrech · ‎03-06-2007

I had what seems to be the same issue.

In my case I have two ACS SE 1113 appliances, but the issue could still be the same with your Windows servers.

The appliance has two NIC's - I had both of the NIC's connected. Although the appliance only allows you to use the Primary NIC (the bottom one) ACS still detected the Secondary NIC and creates an additional "AAA Server" entry under the "Network Configuration" tab called "self". You should only have one "self" entry in your AAA Server list, not two.

Unfortunately I couldn't find a way to undo this. So I disconnected the Secondary NIC (the top one) and used the recovery CD to reload both of my ACS devices. Now everything works just fine.

- Nate

bretcollins · ‎03-07-2007

We ended up deleting all the access points from the 2nd server and then doing another replication. Afterwards everything started working. They believe the first replication was corrupted somewhow.