i have configured primary ACS in DC data center and secondary ACS in DR data center, i have configured replication , and it is working well, but when we put down primary ACS , we are unable to login in switch and router through secondary ACS , i ahve dedicated link between core dc sw to core dr sw through which all traffic is getting replicated . All user , mgmt vlan are created in FWSM firewall.Kindly help.
See if you can telnet into port 49 to the secondary acs. Please post the aaa and tacacs configuration of your device. What version of ACS are you on, and do you see anything relevant in the logs?
Yes we are able to telnet 49 that for tacacs to Sec Acs .Both ACS are running same verison , with same patch.
CORE-DC-SW-1#sh run | in tacacs
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host 184.108.40.206
tacacs-server host 220.127.116.11
tacacs-server key 7 00371665165A1F265E741F
this config is in all devices.
As per your diagram both running on same version.So there may not be any replication issue.
Check the reachability between tacacs clients and secondary acs server and also check all services on secondary ACS is running.
I mean check the secondary acs config on tacacs client.
Vishweswaran, Both ACs are running same version, also relpication is happen properly..For check reachability between tacacs clients , what would be the method for cecking. what all config should i check on sec ACS. kindly guide me.
How about the ping response from the clients to the secondary ACS IP...?
When was the last replication happened...?
When the DC ACS is down means... how the application down or the ACS server itself is down... Because if you make the application alone down.... the failover will not happen until the server gets physically down i guess.... so the DC ACS will respond to your TACACS requests if it is reachable!!!
Please let me know how is your case!!!
DC ACS means I am not shutting down the server itself. I am just stopping the services.
I have to try the option which you said.
I will let you know once I will done with same.
Ping response is normal ... between 7ms - 9ms ...
Replication took place daily ... and that too successfully.
Please tell us what version of ACS you are running, also are the tacacs services up on this distant node (if running version 4.2 on a windows box you can go to the services and see if all the CS* pre-pended services are running. Also you can test authentications to this server by issuing the "test aaa" command, you should be able to tab your way through this.
i.e test aaa group tacacs username password new-code...(something of that sort),
*Please rate helpful posts*
I'm assuming you've configured your ACS correctly and the Cisco network devices correctly. Perhaps, this could be a bug. The reason I say this is because last week, I was implementing 2 units of Cisco ACS 1121 v5.3 (in HA mode) for a client, and i had similar issues myself. When I down the primary ACS, I'm unable to login to my network devices, eventhough my secondary ACS is UP and PINGable from all network devices.
Hence, I downloaded and applied the latest cummulative patch from the CCO website 5-3-0-40-4.tar.gpg (Release Date: 27/May/2012) and my problem solved.
Perhaps, your ACS version isn't 5.3, but the morale of the story here is, maybe patching is required for your case!!
Please do let me know the outcome. May the force be with you, bro!
I have tried same. Initaially I was using Acs-18.104.22.168.4 version. Now, I have updated same to Acs-22.214.171.124.9 with latest patch released on June 2012.
Replication is working fine after doing same. But, when I stop the services of Primary ACS then my devices didn't authenticate via Secondary ACS.
Still required help ... !!! Not getting what to do.
I am able to ping both the ACS from my devices but the problem is still same...
If you were to unplug the UTP cable that's going to the Primary ACS server, is the AAA authentication to your Secondary ACS works fine? If no, then this is what I need you to do for me;
a) To perform this command from a switch/router when you've unplugged the UTP cable that's going to the Primary ACS server. ------->>> Router# test aaa group tacacs+ admin cisco123 legacy.
b) To run "debug aaa authentication" and "debug aaa authorization" from a switch/router when the Primary ACS server is UP and also you've unplug the UTP cable.
c) To provide a show run of a latest equipment i.e. switch/router.
I believe with this 2 output, we should be able to narrow down the root cause.
As i told earlier.
Please try by shutting the entire primary acs and try it should work. I knew this is a strange behaviour. Even though your services are in shut. If still your acs is reachable in network. Then it won't work. This is a known problem in windows based ACS server.
And also one more thing have you configured the timeout for the tacacs requests.
Thanks for all the help.
The Problem is been solved.
I have re-integrate both (Primary and Secondary) ACS with AD (LDAP).
Once the integration is been done again, I tried to login via Secondary ACS and it works.
Thanks all ...