Cisco AAA/Identity/Nac :: ACS 5.2 Fails To Send Files To Sftp Server After Installing Patch 5
Jul 21, 2011
After we have installed patch 5 on several ACS 5.2 server they aren't able anymore to write their backups to the sftp servers. I tried to search on the bug tool kit, but it seems to be broken when searching for the keyword "sftp". It's the same when I try to do a "copy logs" with sftp as destination.running a debug I can see,
acs/admin# copy logs sftp://10.1.115.11/,Collecting logs...,Username: backupuser,Password: ,6 [16376]: transfer: cars_xfer.c[301] [admin]: sftp copy out of /var/tmp/ADElogs.tar.gz requested,6 [16376]: transfer: cars_xfer_util.c[412] [admin]: resolved server to 10.1.115.11,7 [16383]: transfer: sftp_copy.c[75] [daemon]: Executing SFTP command: /usr/bin/scp -o StrictHostKeyChecking=no /var/tmp/ADElogs.tabackupuser@10.1.115.11://ADElogs.tar.gz,% Error: Transfer failed3 [16376]: transfer: sftp_copy.c[230] [admin]: sftp_copy ERROR: command execution failed,3 [16376]: copy: cm_copy.c[1226] [admin]: Logs archive transfer to url sftp://10.1.115.11/ failed retcode=-306,acs/admin#
I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations. I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches. The application begins running fine but fails on upgrading the database and then none of the ACS services would start. I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again. What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
I installed ise-1.1.1.268.i386.iso on a scratch to the new NAC 3315. As i check cisco download mentioned it need to patch following files :ise-patchbundle-1.1.1.268-1-60802.i386.tar.gz,But once try to patch it show like attachment message, is it mean that i no need to do the patching?Or is there any instruction need to remove and reinstall for this files.
I have a server with two adapters: 192.168.1.200 and 10.99.1.200, 10.99.1.200 connects to a cisco router 10.99.1.254 (which I have no access to). This connects via WAN to another network to transfer files to another company. 192.168.1.200 is connected to our local LAN. I have a service that uses FTP to get and send files to a server through 10.99.1.200. I recently had to switch our IP scheme from 10.99 to 192.168 and since then haven't been able to send files to the ftp server. My question is, would a router solve my problem? If so, would I; remove the 10.99 adapter, connect 192.168 to the router, connect the router to the switch, connect the 10.99 gateway to the new router (and update any appropriate routing tables on the server)? The service appears to have issues with using a dual homed server and updating it isn't going to happen anytime soon.
I need to patch our ACS server to 4.2.0.124.17 from 4.2.0.124.6. My question is, do I need to apply the same patch to our remote agents? Cisco's documentation only states that both the ACS and the Remote Agents need to be 4.2.0.
Wondering if it's possible to send a VSA from my radius server to my ASA-5505 that will instruct the ASA to use one of several split tunnel lists I have created, based on the user name supplied in the Radius request.For example, I can send a VSA of "ip:inacl#1=permit ..." and the ASA will dynamically create an access-list for that user.Is there a similar VSA for split tunnel?
I am working through the migration from ACS 4.1.4 on Windows Server 2003 to ACS 5.2 on the appliance. I have created the 4.1.4 migration server, installed the software and imported the data from our production ACS 4.1.4 box. I downloaded the migration utility from the 5.2 ACS server and am attempting to run on the 4.1.4 migration server. The question that fails is:
Enter ACS 4.x Server ID:
I do not know what this means and do not see anything on the 4.1.4 server that identifies the Server ID. I try localhost and it does not work and the 4.1.4 server is not registered in DNS or I would try that (and . are not valid characters in the ID so the IP does not work).
How have other people handled this question? Is there something that can identify the local server ID?
Any problem while using SFTP option in ACS5.3.I am trying ot use host-key sync command but giving below error.
ACS/admin(config-Repository)# host-key sync % Error: First character must be a letter % Error: Invalid ip address or hostnameSOK-S12-ACS-1/admin(config-Repository)# host-key sync% Error: First character must be a letter% Error: Invalid ip address or hostname
As per documentation this command needs to be added directly.
We have ACS 5.3, and trying to set up sftp backup on freesshd server. SSH connection works, but ACS cannot copy backup file to sftp server, we get following errors:
I am not able to backup ACS 5.x server by means of SFTP protocol. We use ACS 5-2-0-26-2. My configuration of repository is:
repository SFTP url sftp://x.x.x.x/home/user user user password hash 455ad
command 'backup acs01 repository SFTP' does not work and I receive the following error message on ACS server:
%SSH connect error
On my sftp server I can find the following error messages:
Apr 6 06:57:46 CR01 sshd[8561]: Accepted password for user from 10.20.86.72 port 47924 ssh2Apr 6 06:57:46 CR01 sshd[8563]: Received disconnect from 10.20.86.72: 11: disconnected by user
How to successfully performed backup by means of SFTP protocol? Do I need any other configuration settings except repository? Do I need to store my SSHD RSA key to ACS? I am able to copy files using SFTP from other computers, so it seems that SFTP server is set correctly.
Yesterday, I installed the N450 DB and it was probably the easiest install I've ever had to do. One problem though, I can now no longer send or receive email thru Outlook Express 6. Keep getting this message 'The host 'mail' could not be found. Please verify that you have entered the server name correctly. Account: 'mail', Server: 'mail', Protocol: POP3, Port: 110, Secure(SSL): No, Socket Error: 11001, Error Number: 0x800CCC0D'.
I have problem with Bluetooth on my Inspiron 7520. I can connect my mobile phone and my laptop together with Bluetooth, but when I try to send a file from laptop to mobile phone, I get error that sending is not possible.
I see in my Device Manager this: Generic Bluetooth Adapter, Microsoft Bluetooth Enumerator and then 2 unknown Bluetooth devices. I guess I have wrong drivers, but there are so many drivers in download section for Inspiron 7520, that I don§t know which one to use. My OS is W7.
procedure to apply the 5-2-0-26-4.tar.gpg patch. I don't know how to get the patch file into the ACS server.The procedure in the "Read me" for the patch does not indicate anything about how to this:
1. open CLI console2. define new repository in which the 5-2-0-26-4.tar.gpg resides3. issue: 'acs patch install 5-2-0-26-4.tar.gpg repository YOUR_REPOSITORY'4. verify installation by getting the following version information via CLI by issuing:#show application version acs I don't know how to put the patch file from my local machine to the repository created in the GUI (if there is where the actual place to creat the repository).
I am trying to apply pach 5 to my ACS version 5.3 using FTP but i receive the following errors after issuing the show backup history command. When i use TFTP, i get a message saying that the file is too big, which i understand 164 MB.
after issuing the show repository "repository name", i get the following error.% Error reading directory on remote server.the patch is on one of my hard drives D, how do i specify on the ACS file path which drive to use?I can only place a url but without specifying which drive.
i'm using ACS 5.3.0.40.2 and its setup with an AD External Identity store for wireless PEAP MSCHAPv2. AD is configured with Alternate UPN suffixes so that for example: 22056 Subject not found in the applicable identity store(s). ##
I've checked the release notes for 5.3.0.40.5 and there are some changes/fixes for AD but nothing I can see to explain the behaviour above. I'm looking to upgrade to 5.3.0.40.5 soon but I really need the Alternate UPN suffixes to work.mydomain.com is the AD domain namean Alternate UPN suffix of another.com has been added to AD
A valid AD user can add either the @mydomain.com or the @another.com suffixes to their username and login successfully. This works fine with 5.3.0.40.2 but changes when I upgrade to 5.3.0.40.5 - users who use the @mydomain.com login ok but users using the Alternate UPN @another.com fail with the error: [code]
I have an issue with applying a patch to an ACS 1121 appliance running version 5.2.0.26. I have 5 units that needed updating and the first one is the unit with the problem. The subsequent ones updated with no issues.
When I do a show version the 5.2.0.26.10 does not show. When I try to do a reinstall I get back patch all ready exists. When I try to do an uninstall I get back patch does not exist.
Is there a command can wipe out patch 10, so I can start over? The CLI factory-reset only wipes the web configuration not the running-config or IOS.
This is troubling and I don't know why it is happening. For some odd reason files seemingly related to my DIR-655 are being put in the root directory of my hard drive on my Power Mac G5 running Leopard 10.5.8. Two preference files and a folder named ''D-Link'' and another folder named ''Shareport.''Why is this happening? I have given D-Link/DIR-655 no access to my hard drive.Furthermore, why this is only happening on that machine while my MacBook Pro running Snow Leopard 10.6.7 is not being ''invaded.''
I'm trying to upload the 5-2-0-26-4.tar.gpg patch to our ACS and so far have been unsucessfull. I keep getting the "please verify the patch bundle is valid".
When I download the 5-2-0-26-4.tar.gpg file, for some reason the download always comes down from Cisco as 5-2-0-26-4.tar.tar. I've renambed the file to 5-2-0-26-4.tar.gpg and verified the MD5.
I have a server connected to my router with a CAT5. I usually manage the server from my laptop connected to the router via WLAN. I often need to add files to a public folder on the server so it can be dowloaded by my clients when they need them. I can access my personal laptop from the server, but I cannot access the server's files from my laptop. This is recent and used to work fine. I also cannot acces other personal computers on my network that I often connect to
Need URL for patch 4.2.1.15.3 with comptaible for cisco acs appliance 1120 . Though its for appliance patch should be along with webserver . I have downloaded patch of SE its not comptaible to this hardware .
Configuration: VM with ACS 5.4 with patch 3. (upgraded from 5.2.0.26 patch 10)When I go on "System Administration" - "Administrators" - "Administrative Access Control" - "Authorization", I got this error:
What I tried:
"acs backup" on this server and shutdown Install an ACS 5.4 with patch 3 on new VM --> I don't have the problem on GUI "acs restore" to restore my configuration on new server --> I got this problem again...
I want to use this feature...After this error, others pages generate this error: I have to reload server or restart management service to get him back...How could I solve this? (I don't want to reconfigure manually the server )
About to apply a patch for the first time on the ACS 5.3 tonight. Ihave tftp'd it onto a directory i have created on the server. However my support hints i may havre to rename the file ? copy the latest patch file you got from Cisco – you may need to rename as gpg) Current filename is 5-3-0-40-7.tar.tar
So would i need to rename this as 5-3-0-40-7.tar.gpz . If so i will rename it on my pc and redownload it on tftp
We have Cisco ASA 5505 with ASDM 5.2 We have one Proxy server in our Local Lab and pointed to Hosted service(Simple Signal)issue is, When our proxy server send register to hosted server, ASA change private IP and post with outside IP and src port as 1063 every time.
Here is debug log on real time monitoring.
Aug 24 2011 05:21:19 302015 203.xxx.xxx.226 192.168.1.51 Built outbound UDP connection 3774 for outside:203.xxx.xxx.226/5060 (203.xxx.xxx.226/5060) to inside:192.168.1.51/27014 (99.119.161.107/1142) Aug 24 2011 05:21:19 607001 203.xxx.xxx.226 Pre- allocate SIP Via UDP secondary channel for inside:192.168.1.51/27014 to outside:203.xxx.xxx.226 from REGISTER message Aug 24 2011 05:21:19 710005 203.xxx.xxx.226 99.xxx.xxx.107 UDP request discarded from 203.xxx.xxx.226/5060 to outside:99.xxx.xxx.107/1063
Here 99.xxx.xxx.107 is Our ASA Outside IP address 203.xxx.xxx.226 is Hosted server IP address. My ASA config is attached.
Trying to upgrade a pair of ACS servers from 5.2.0.26 base to patch 4. I have tried creating different repositiories that are SFTP, FTP, and Local. The secondary unit(ROTACS2) upgraded fine with no problems the primary(ROTACS) will not, see below.
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.182ADE-OS System Architecture: i386 Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: ROTACS Version information of installed applications--------------------------------------------- Cisco ACS VERSION INFORMATION-----------------------------Version : 5.2.0.26Internal Build ID : B.3075 ROTACS/mpartain#
[code]....
It appears that the GPG key is not vaild on this primary server. The patches are in the repositories and I used the acsrepo repo to install on the ROTACS2 secondary server.I have looked through articles and the only mention is to not use TFTP, which I am not. I have also tried to apply patches 1-3 with the same results.
I've got a pair of Cisco ACS 4.2 servers running on our corporate LAN. Currently they are doing TACACS+ for the network gear, and wireless authentications for internal users.
We have contracted with an external web site for an application - They can run RADIUS from their site to our LAN for the user authentications. How can I best do this?
1. NAT the traffic on my ASA firewalls to the internal servers, send the RADIUS traffic to/from the external site?
2. Is this secure?
3. Should I have a RADIUS server in the DMZ instead?
to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".How can I import the same certificate (with the same private key) in every PSN in a node group?
We are using ACS v5.2.0.26.3 in 802.1X certificate based authentication. Now, when we added CRL functionality into ACS it fails in CRL validation and gives following error message:
LastErrorMessage=CRL PKI verification failed Certificate Revocation list [URL]
We have installed root, device and server certificates from CA, but for management we are still using self-signed certificate.
Question is, which certificate is used when validating downloaded CRL file - one used for EAP-TLS or one used for management interface?
How I can check which certificate ACS server is using for CRL validation?
I try upgrade ACS 5.3.0.40 to new version 5.4.0.46. Everything looks ok:
ACS-machine/acsadmin# application upgrade ACS_5.4.0.46.tar.gz rep01 Do you want to save the current configuration ? (yes/no) [yes] ? Generating configuration. Saved the running configuration to startup successfully
% CARS Install application required post install reboot...
Broadcast message from root (pts/0) (Thu Dec 6 23:36:41 2012):
The system is going down for reboot NOW!
Application upgrade successful
But ACS machine (vmware instance) can't boot with this result: Volume group "smosvg" not found. (for details see attachment)
I am trying to upgrade ISE from 1.1.0 to 1.1.2.145 but failed. Find the details below.
DR-ise-pdp-01/admin# application upgrade ise-appbundle-1.1.2.145.i386.tar.gz ISE1 Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration... Saved the ADE-OS running configuration to startup successfully Initiating Application Upgrade... Stopping ISE application before upgrade... Running ISE Database upgrade... % Application upgrade failed. check logs for more details.
