Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS Replications ports

Hello all, I have two ACS 3.3, and I am trying to replicate them but it is not working. The topology is something like this:

ACS1<->PIX525<->RouterTelmex-----Internet-----RouterTelmex<->ASA5540<->ACS2

I test a lot of things, and I suppose that the problem is in ASA5540. So the question is: does anyone know which ports should be opened in ASA5540 to allow the replication ? I know that there must be opened port 2000, but I think that there must be some ports more.

Thanks a lot.

Gabriel

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS Replications ports

Hello Gabriel,

My understanding is, you need only port 2000 to be opened for ACS Replication.

BTW, Do you have skinny inspection enabled on the ASA. ACS replication runs over port 2000 which also happens to be the same port as the Skinny protocol. Make sure that he Skinny inspection on both firewalls is turned off and see if you can get replication.

no fixup protocol skinny 2000

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

4 REPLIES
Cisco Employee

Re: ACS Replications ports

Hello Gabriel,

My understanding is, you need only port 2000 to be opened for ACS Replication.

BTW, Do you have skinny inspection enabled on the ASA. ACS replication runs over port 2000 which also happens to be the same port as the Skinny protocol. Make sure that he Skinny inspection on both firewalls is turned off and see if you can get replication.

no fixup protocol skinny 2000

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: ACS Replications ports

Do not NAT the servers!!! The reason is if you nat a server private>public---public>private, it will fail replication. The shared secret is encrypted using the IP of the server, the receiving server decrypts it using the IP of the received packet, hence shared secret mismatch. If you can setup an IPSEC tunnel between sites so the servers communicate using their IP address, not a natted address, then you should be able to replicate OK. Been there, done that, broke them both in the process! :)

New Member

Re: ACS Replications ports

Hello, Tahequivoice !

I have to apologize, because now I realize that I mentioned the toplogy bad.

The topology is not using Internet, in stead of it we are using an MPLS link via Telmex.

ACS1<->PIX525<->RouterTelmex-----MPLS Backbone-----RouterTelmex<->ASA5540<->ACS2

I realize about it when you told me not to nat the addresses !!! I'sorry. But the way do I have to check what you mentioned anyway ?

New Member

Re: ACS Replications ports

First, have you verified connectivity? There is a patch out that allows PING depending on the version(if an appliance). Since you are going through firewalls, open up the IP at both ends so ACS A IP to ACS B IP and viseversa. If you can ping both ways, make sure you setup replication correctly, the master to send only, the slave to receive ONLY, and that they are send and receiving the same items. Also do not replicate the distribution table, trust me on this, if you are not proxying, do not send that table to the slave, 3 weeks working with Cisco to fix the servers after replicating that one table was a bad thing.

If the above is correct, check the logs at both ends.

262
Views
0
Helpful
4
Replies