Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACS replication through FWSM

I have a problem replicating ACS database through an FWSM blade. The primary ACS is under a Mgmt zone in the FWSM. A secondary one, located in the same zone receives replication with no problems. All others that sit outside the Mgmt zone do not receive replication. TCP 2000 required for replication is open along the path. I can see the sessions initiated on the FWSM through CSM, but these sessions expire after the replication timeout and are closed by the FWSM. No trace of connections reaching the secondary ACSes appears in the Database replication log of the receiving ACSes. Any caveats on this issue? NAT shouldn't be an issue here since no NAT is performed along the path. Any ideas?

Thanks

Panos

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS replication through FWSM

ASA/FWSM uses TCP port 2000 to inspect the skinny protocol.This can result in

failed replication

Try

no fixup protocol skinny 2000

If its not possible for your environment then

1. create an ACL for traffic you want to enable skinny inspection

2. create class-map to match this traffic

3. In global policy, take the skinny inspection out of the class inspection_default, and add it to the class we created in step 2.

Thanks

Syed

4 REPLIES
Silver

Re: ACS replication through FWSM

Cisco Secure Access Control Server (ACS) is a powerful tool that allows network administrators to centrally manage AAA (authentication, authorization, and accounting) on a wide range of Cisco devices. You can deploy an ACS server in a standalone configuration or in a redundant topology. In order to provide failover capability, two or more ACS machines share database components at preconfigured times.

Refer the following url for more information on "Secure ACS Database Replication Configuration":

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml

Re: ACS replication through FWSM

ASA/FWSM uses TCP port 2000 to inspect the skinny protocol.This can result in

failed replication

Try

no fixup protocol skinny 2000

If its not possible for your environment then

1. create an ACL for traffic you want to enable skinny inspection

2. create class-map to match this traffic

3. In global policy, take the skinny inspection out of the class inspection_default, and add it to the class we created in step 2.

Thanks

Syed

Community Member

Re: ACS replication through FWSM

Syed,

Removed the skinny protocol from the inspectio list and worked like a dream! Thanks for the advice.

Panos

Silver

Re: ACS replication through FWSM

Are you able to PING from One ACS to another ACS server?

Are you doing replucation by server name of IP address?

If server name: Check your wins IP addresses.

Are you using with server, EX: windows 2003 or 2008?

Check server's internal firewall.

Port that is required 2002 as of my knowledge.

If you are able to open both servers from vice versa, by browser. You should be able to do replication.

Did you check repication is automatic or schedule?

these are all about i think enough for replication.

Check switch's Access-list.

Thanks,

Dharmesh Purohit

281
Views
5
Helpful
4
Replies
CreatePlease to create content