Here is a posting I put up yesterday, but when I thought the issue was resolved, I ran into another issue...replication would not succeed. At the end of yesterdays posting, you will see my newly added issues.
I have 2 ACS 1113 appliances running 4.1(1) Build 24. The first is the primary and replicates nightly to the secondary at our DR. Though at different locations, they are both within the same VLAN with no firewalls or access-lists in-between them. All of my devices will authenticate with my primary ACS unless it is down, in which case they should authenticate against the secondary ACS. The issue is that I have no problems with authentication on my primary ACS, but I cant get anything to authenticate against my secondary (after taking the primary down for testing). When trying to authenticate against my secondary, I get no logs for passed or failed authentications after my attempts fail. In addition, when my attempts fail, I try to log into the devices locally and my authorization fails - again with no logs in the ACS. However, when I remove the device from the NDG in the secondary ACS, I am able to log in locally to the network device.
I have to believe that with the device in the NDG within ACS, there is some communication failing my attempts (though it does not log anything) since I can take the device out of that NDG and pass local authentication. I was running code 4.0 with this same issue and thought that the upgrade would fix the problem...but evidently I have something else going on here.
Any input or suggestions would be greatly appreciated.
ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.
It should work now.
If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.
Now that I was able to get the devices to authenticate with the Secondary ACS, replication stopped working. To make a long story short, I tried to get replication back up and now replication does not work and the secondary does not authenticate again. Ok - Here is what I currently have in place...on the primary ACS, under Network Config > Proxy Dist Table > Default > I have the secondary listed under "aaa servers" and the primary under "forward to". (When I switched them adding the secondary to "forward to", I lost authentication on my primary as well). On the Secondary, under Network Config > Proxy Dist Table > Default > I have the primary listed under "aaa servers" and secondary under "forward to". There has to be something simple somewhere that I am missing. Any suggestions are appreciated.
1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication
2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.
3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.
4) Ensure that the secondary server has it's replication scheduling set to "manual".
5) Please verify that your servers are all running exactly the same ACS version and build.
6) Check if we have any firewall in between two acs servers. Incase you do , then please have your firewall checked and reconfigured to disable any inspection on port 2000.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...