cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
552
Views
9
Helpful
6
Replies

ACS: verification of replication topology

Roble Mumin
Level 3
Level 3

I currently have two productive ACS appliances up and running with everything i need. I have to enable several devices in a partner network to use all the AAA features already configured with the devices in my "local" network.

The problem, a direct connection between both ACS domains or any other direct flow between both networks is prohibited. The solution as an intermediate network which can host shared resources and is accessible from both sides.

So if i am not wrong i should be able to replicate from my local network ACS to an intermediate ACS and from there to my ACS in the partner network. So before i put another ACS appliance into the intermediate network i would like to have a second opinion on my planned replication topology.

I added a simple drawing of the planned replication topology.

Any advice is welcome, thanks for reading.

Roble

1 Accepted Solution

Accepted Solutions

Hi Roble,

Sorry for the delay.

3) Correction

ACS A----> Partner B (Scheduled)

ACS B----> Partner C (Automatically triggered cascade)AAA-server A

ACS C----> AAA-server B Partner None (Manual)

AAA Server : It is the name of the ACS in the AAA Servers column under partners.

Regards,

~JG

View solution in original post

6 Replies 6

Jagdeep Gambhir
Level 10
Level 10

Hi,

I guess that is a good thought since we cannot directly reach the remote site.

The plan you have should work fine , just ensure port 2000 is allowed from firewall.

Here is the replication check list,

1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication

2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.

3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.

4) Ensure that the secondary server has its replication scheduling set to "manual".

5) Please verify that your servers are all running exactly the same ACS version and build.

6) Also let me know if we have any firewall in between two ACS servers.

Regards,

~JG

Do rate helpful posts

Hi Jagdeep,

1) No NAT involved.

2) In my current setup i am sending the distribution table to the secondary server and so far i have not seen any issues. Could you explain the reason why this is necessary. A link explaining this would also help.

3) My current setup:

ACS #1 NW A, Partner -> ACS #2 NW A

ACS #2 NW A, no Partner, accept any

Planned:

ACS #1 NW A; Partner -> ACS #2 NW A, ACS #1 NW B, accept any

ACS #1 NW B; Partner -> ACS #1 NW C, accept any

ACS #2 NW B; no Partner, accept any

If you list all receiving ACS appliances in network B and C as partners, wouldn't the primary ACS try to directly contact the ACS'es in NW B and C? This is not possible due to the firewall restrictions.

4) Checked für ACS #2 NW A.

For the other ACS #1 in network B and C i planned -> Automatically triggered cascade

The ACS #2 in network C would then be set to manual as well.

5) verified

6) Yes loads of FW's between those appliances. But from previous experience we will make sure that the skinny inspection is disabled. "no inspect sccp" in the default policy.

Thanks for the fast answer!

Roble

Hi Roble,

2) Sending distribution server can change the setting on the secondary server, causing it to not able to authentication.

3) Lets say you have three ACS A B C

a) On ACS A---> Partner B and C

b) On ACS B ---> Partner C and AAA server A

c) On ACS C ---> Partner None and AAA server B A

4) On ACS B , you need to set up Automatically triggered cascade . C should be set to manual. ACS A should be set to scheduled or manual.

Regards,

~JG

Do rate helpful posts

Hi Jagdeep,

2) I will have to read about this in detail in the replication part of the manual. I have to admit that i don't understand it completely. So i will cue this part until i can ask more precisely.

3)

ACS A ---> Partner B and C

Will this result in a direct TCP connection to ACS C? Or is this necessary to make ACS C eligible to receive updates originating from ACS A?

What do you mean with AAA Server? Are you talking about the forwarding of Events to the upstream ACS?

4) This is what i had in mind.

Thanks again

Roble

Hi Roble,

Sorry for the delay.

3) Correction

ACS A----> Partner B (Scheduled)

ACS B----> Partner C (Automatically triggered cascade)AAA-server A

ACS C----> AAA-server B Partner None (Manual)

AAA Server : It is the name of the ACS in the AAA Servers column under partners.

Regards,

~JG

Thanks for the reply Jagdeep that verifies my approach.

Roble

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: