Downloads |
Document ID: 99449
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Problem: Resources needed by the CiscoSecure Install are locked
Solution
Problem: Cannot Delete AAA Server, AAA Server is a Synchronization Partner
Solution
Problem: 127.0.0.1 is a reserved address
Solution
Problem: ACS 1113 SE - Unable to Assign Static IP Address
Solution
Problem: Cannot Set New NIC Configuration
Solution
Problem: ACS Folder is Locked by Another Application
Solution 1
Solution 2
Problem: Event Error
Solution
Problem: Bad request from NAS
Solution
Problem: Unable to install ACS version 3.3.3 on ACS 1113
Solution
Problem: Reason: is currently being edited elsewhere
Solution
Problem: Remote agent service will not start
Solution
Problem:"Error:Auth type not supported by External DB" during user authentication
Solution
Problem: Unable to enable ping to ACS
Solution
Problem: "Appliance upgrade in progress" message is shown even after the ACS upgrade is complete.
Solution
Problem : Password Reset after Replication
Solution
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction
This document describes how to troubleshoot ACS and resolve error messages.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on the Cisco Secure Access Control Server (ACS) version 3.3 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Problem: Resources needed by the CiscoSecure Install are locked
You can experience this problem when you upgrade your ACS server.
Solution
If you have too many old log files, you need to clear the "Local Logging Configuration" logs.
Modify the logging of ACS to keep the last three files.
-
On the ACS GUI, choose System Configuration > Service Control. Check the Manage Directory box and select to keep only the last three files. Then restart ACS and test the upgrade.
-
If option #1 does not work, you can try to manually remove some log files.
You must always copy the files to a dedicated folder before you delete them.
-
On the local drive of the Windows server, where ACS for Windows is installed, choose Program Files > Cisco Secure ACS folder.
-
Delete all the logs under each of these folders:
-
* CSAuth
-
* CSLog
-
* CSDbsync
-
* CSAdmin
-
* CSRadius
-
* CSTacacs
-
* CSMon
-
-
Restart the PC and retest the upgrade.
-
Problem: Cannot Delete AAA Server, AAA Server is a Synchronization Partner
The Cannot Delete AAA Server, AAA Server is a Synchronization Partner error message can appear when you delete the entry under Network Configuration.
Solution
Complete these steps in order resolve this issue:
-
Choose Interface Configuration, and check the RDBMS Synchronization check box
-
Choose System Configuration > RDBMS Synchronization and remove the AAA server that cannot be deleted from the AAA group that is on the Synchronization Partner
-
You can now delete the AAA server group.
Problem: 127.0.0.1 is a reserved address
You have two units of ACS SE 1113 and want to replicate the internal database from primary to secondary, but you notice this error message in the secondary unit:
Inbound database replication from ACS <secondary ACS unit name> denied - shared secret mismatch
When you try to modify the key of AAA Server Self under Network Configuration the error message is returned.
Solution
In order to resolve the 127.0.0.1 self problem, you can backup and restore the .DMP files on a fresh installation of ACS for Windows 4.2 and modify the 127.0.0.1 entry with the desired IP address.
Problem: ACS 1113 SE - Unable to Assign Static IP Address
This issue occurs when you are unable to configure the static IPaddress on ACS 1113 SE.
Solution
In order to resolve this issue, install the applACS-4.1-set-ip-CSCsm73656-Patch.zip patch, which is available from Cisco Downloads ( registered customers only) . The patch suits all ACS SE 4.1 versions.
Problem: Cannot Set New NIC Configuration
This issue occurs when you configure the static IP address on ACS 1113 SE.
Solution
In order to resolve this issue, try to reimage the software.
Problem: ACS Folder is Locked by Another Application
The ACS Folder is Locked by Another Application error message appears during an ACS software upgrade, such as the upgrade from version 3.3 to 4.0
Use these solutions in order to solve the problem.
Solution 1
Complete these steps:
-
In the ACS Window, check the System Configuration > Service Control > Check the Manage Directory check box.
-
Enter a value, such as 3, in the Keep only the last __ files box.
-
Restart. The upgrade is likely to work.
Solution 2
If Solution 1 does not resolve the issue, complete these steps:
-
Backup the current ACS database.
Refer to the Cisco Secure ACS Backup section of User Guide for Cisco Secure ACS for Windows Server for more information on how to perform the backup of the ACS database.
-
Run the clean.exe file in order to uninstall ACS 3.3 (or your existing version). This file is located on the CD under ACS Utlities/support/clean.
-
Reinstall ACS 3.3 from the CD.
-
Restore your database from the file that you saved in Step 1.
Refer to the Cisco Secure ACS System Restore section of User Guide for Cisco Secure ACS for Windows Server for more information on how to restore the ACS database.
-
Upgrade the ACS to version 4.0.
Refer to Installation Guide for Cisco Secure ACS for Windows Server Version 4.0 for more information on upgrade procedures.
Problem: Event Error
During startup, the ACS SE receives the At least one service or driver failed during startup. use event viewer to examine the event log for details error message.
Solution
This error on the ACS SE does not affect any of the ACS functionalities. It is a Microsoft Windows error. This error appears because the monitor, mouse and keyboard cannot be used on the appliance and are disabled by default.
The ACS appliance is a hardened, locked-down system and is designed with security in mind. The appliance uses windows strengthen image, which has all redundant services and connections stopped. It is made to keep all viruses, worms, and DDOS attackers out. Hence there is no VNC, DOS prompt, or any other way to reach the windows configuration. Services like the mouse, keyboard and monitor are closed.
On rare occasions, it indicates that something is corrupted on the appliance image. If you re-image the appliance, it fixes the issue in the majority of instances. You can try to re-image the ACS as well.
Problem: Bad request from NAS
This error message appears:
Bad request from NAS OR Authen-Failure-Code=Invalid message authenticator in EAP request
Solution
This error message usually appears because of a mismatch in the shared secret key or like in this case NDG defined with a key overriding the AAA client key.
Problem: Unable to install ACS version 3.3.3 on ACS 1113
Unable to install images earlier than version 4.0 on ACS SE 1113.
Solution
Only ACS 4.0 and later can run on ACS SE 1113. Refer to Upgrading and Migrating to Cisco Secure ACS Solution Engine for more information on how to upgrade ACS SE.
Problem: Reason: is currently being edited elsewhere
When you open the ACS page, you can receive this error: Reason: is currently being edited elsewhere..
Solution
Restart the ACS services in order to resolve this issue.
Problem: Remote agent service will not start
The user is not able to run the remote agent service.
Solution
The user must be a local admin user for the service to start.
Problem:"Error:Auth type not supported by External DB" during user authentication
The Auth type not supported by External DB error appears during user authentication.
Solution
This error appears because the CHAP Authentication protocol is not supported on the Microsoft Windows database Active Directory (AD) when you use ACS version 3.3. In order to resolve this issue, use PAP instead of CHAP. Refer to Authentication Protocol-Database Compatibility for more information on Protocol-Database Compatibility for ACS version 3.3.
Problem: Unable to enable ping to ACS
Unable to ping ACS SE.
Solution
Turn off the CSA Agent in System Configuration --> Appliance Configuration in order to enable ping response on ACS SE versions earlier to 4.2. For ACS versions 4.2 and later download and install the patch available from cisco.com. Refer to Turning Ping On and Off for more information.
Problem: "Appliance upgrade in progress" message is shown even after the ACS upgrade is complete.
Solution
ACS is struck after upgrade and cannot start or stop any services.
In order to resolve this issue, complete these steps:
-
Log into the ACS Appliance with a different Admin account.
-
On the Appliance Upgrade present under the System Configuration tab, press the Refresh or the Download button.
Refer to Cisco bug ID CSCsg89042 ( registered customers only) for more information.
If you are unable to use the GUI, try to reboot the ACS appliance in order to resolve the issue.
Problem : Password Reset after Replication
After the replication, the new password gets reset to the old password.
Solution
This issue occurs because users do not authenticate to the primary ACS. Once the replication occurs, the primary pushes its policies to the secondary ACS because the replication is not bidirectional. This causes the password to be reset to the old password.
In order to resolve this issue, authenticate the user to the primary ACS, if possible.
NetPro Discussion Forums - Featured Conversations
|
|
Related Information
- Cisco Secure Access Control Server for Windows Support Page
- Configuration Guide for Cisco Secure ACS 4.1
- Cisco Secure ACS Online Troubleshooting Guide, 4.1
- Technical Support & Documentation - Cisco Systems
| Updated: Oct 03, 2008 | Document ID: 99449 |