Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issues with ACS replication

We have 2 ACS appliances that are separated by a WAN.

Both appliances are at the same software version and I have replication set up per Cisco's (as well as others') directions.

When I run replication, I get the error "Cannot replicate to 'ciscoacs2' - server not responding".

If I try replication in the other direction, I get the same error.

I can ping both appliances and access the web interface from both subnets.

There is a firewall between them, but I have port 2000 open and I do not see any other deny messages relating to the ACS replication in the firewall logging.

I ran a sniffer on the receiving appliance's port and got the following: TCP evb-elm > cisco-sccp [SYN] Seq=0 Win=65535 Len=0 MSS=1380 TCP evb-elm > cisco-sccp [ACK] Seq=1 Ack=1 Win=65535 Len=0 TCP cisco-sccp > evb-elm [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 TCP evb-elm > cisco-sccp [RST] Seq=25 Win=0 Len=0 TCP [TCP Dup ACK 1515#1] cisco-sccp > evb-elm [ACK] Seq=1 Ack=1 Win=65535 Len=0

Logging on the devices themselves is terrible, so I really have no idea what would be causing replication to fail.



New Member

Re: Issues with ACS replication

One update if it will help. I've been doing some research and I found that ACS replication doesn't like NAT and replication will fail if the IP address is changed through NAT.

While NAT is running on the firewall that our ACS appliance is behind, there is a static mapping to basically keep the NAT address the same. So NAT is being applied, but NAT is just giving it the same address.

I don't know if the NAT process is what's causing the problem? Based on the sniff I posted earlier, the source address of 101.5 is the IP of the ACS appliance.

Taking the device out from behind the firewall could be an option, but it would be a last resort because we would then need to reconfigure all of our equipment to point to the new address, and we have a lot of equipment.