External Database error when validating local database users
We have been having an issue since we configured external database validation (Windows type)in our ACS 1111 appliances (2). As a summary, let me tell that we have basicly 2 kinds of users: local cisco database (mac addresses for wireless authentication) and external users (windows users) for vpn and administration purposes). We have not been able yet to find the exact cause of this misbehavior, but sometimes there comes a moment that both of our appliances start to log every local authentication against the external windows database (the entry in the failed attempts log says "EXTERNAL DATABASE RESTRICTION). In our platform, we have 2 appliances configured to use 2 external agent servers (for high availability) configured as indicated in the RA installatrion notes. As I said before, this situation happens suddenly and after several times, we have not been able to find a posible path or scheme to delimitate the situation. The only wok arround we have found is to disable external database use (in fact we have to delete the external database configuration) ans many time we need to re-define the remote agents within ACS. After this (I mean we enforce authentication to the local Cisco secure database), as soon as local authentication works again, we redefine the external databse access and it starts working as required until the next misbehavior (it could be days, weeks or months). We've had ACS versions 3.2.2, 3.2.3 and finally we are at 3.3.3. Any idea of what could be happening, and more importan, how do we solve it completely? Thanx in advance.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :