Cisco :: ACS 5.1 Promote Secondary Server
Mar 2, 2011
In ACS 5.1 how do I promote the secondary server to local mode if I have lost the primary server, in this scenario is it only accessible by the CLI and would you have to manually promote it so as to enable further configuration elements via the GUI? I would have thought that if the primary failed some sort of keep alive from the primary to the secondary would be lost thus making the secondary force it's own promotion but this does not seem to be the case???
View 2 Replies
ADVERTISEMENT
Feb 28, 2013
We are using ACS 5.3 with two servers in a distributed solution.All logs are collected on primary server so when this server fails all logs are lost.How can I enable log on secondary server also?
View 2 Replies
View Related
Oct 23, 2012
We have 4 ACS 5.3 Servers connected as Primary and Secondary Servers.We use a "RSA SecurID Token Servers" External userdatabase for authentications and are able to sucessfully authenticate (vpn-)users when the requests are send from the primary ACS Server.As soon as a secondary ACS server sends the request to the RSA server the request fails. "Node verification failes"
On the RSA Authentication Manager 6.1 Server, we have created a Agent-host wich contains the 3 secondary nodes (FQDN and IP's). The "sdconf.rec" file has been installed on theprimary ACS Server and are automatically (so it looks like) replicated to all ACS Servers.Still none of the secondary server are able to authenticate the users agains the RSA server.
View 1 Replies
View Related
May 29, 2013
My customer has an ACS 1121 version 5.4. Now we want to install a secondary ACS 1121.
View 2 Replies
View Related
May 15, 2011
Can we assign Secondary ISP-2 Pool IP to DMZ Server, network design attached for reference.
View 2 Replies
View Related
Jul 14, 2011
I was setting a static IPs for my PCs, and for the Preferred and Alternate DNS Server addresses I looked on my router's Device Information page. It had "Primary DNS Server: 121.98.0.1", but "Secondary DNS Server:" is reported as "0.0.0.0". Router is a DIR-655:
I looked on my ISP's website and they have "121.98.0.2" listed as the Secondary Name Server/DNS:
Why does the router not report that? Is there something wrong? Should I still set 121.98.0.2 as the Alternate DNS Server in Windows?
EDIT: BTW, my modem reports both primary and secondary DNS servers on it's info page.
View 6 Replies
View Related
Apr 21, 2013
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
View 8 Replies
View Related
Nov 2, 2011
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
View 2 Replies
View Related
Aug 26, 2012
i have planned a deployment with one acs in Europe working as primary, one acs in europe as secondary and one acs in USA as secondary also.
I can add one acs in europe to the deployment as secondary. When I try to add the acs in USA to the deployment - Nothing really works.
The status shown in the primary is offline (red) and status pending. It stays like this for hours. When I log in to the gui directly on the acs in USA, it still has status primary.
The two acs are transparently connected. There is WAN optimization (cisco waas) in between the two datacentres..
View 1 Replies
View Related
Apr 24, 2011
I have two ACS 5.2 working in redundancy Primary and Secondary my question in when my primary ACS goes down i can´t see the log in the secondary ACS. I read in the documentación that only one ACS can be configurated for working like logg collector server. Now I configurated my secondary ACS like logg collector server now when my Primary ACS goes down i can see the logg. Finally when my Secondary ACS goes down i can modified the ACS Primary Configution by show me the logg.. Is possible to do this automaticaly for show me the event logg ? when the ACS that is configurate like logg collector server goes down pass the event other ACS automatically..
View 3 Replies
View Related
Sep 12, 2011
I have 1 2821 router with several IP addresses from a single provider. The IP addresses are not contiguous.I would like to NAT different internal subnets to different external IP's. i.e. map 10.1.1.0 to x.x.220.68 and 10.1.2.0 to x.x.220.70 and 10.1.3.0 to x.x.105.184.
I currently have ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload that translates everything to x.x.105.184.What would be the best way to setup the NAT statements to be able to divide up the subnets?
View 3 Replies
View Related
Mar 16, 2012
On a cisco 2821 running 15.1(3)T1 From this cisco DOC, common use of secondary IP addresses on an interface are
•There might not be enough host addresses for a particular network segment. For example, suppose your subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you must have 300 host addresses. Using secondary IP addresses on the routers or access servers allows you to have two logical subnets using one physical subnet.
•Many older networks were built using Level 2 bridges, and were not subnetted. The judicious use of secondary addresses can aid in the transition to a subnetted, router-based network. Routers on an older, bridged segment can easily be made aware that many subnets are on that segment.
•Two subnets of a single network might otherwise be separated by another network. You can create a single network from subnets that are physically separated by another network by using a secondary address. In these instances, the first network is extended, or layered on top of the second network. Note that a subnet cannot appear on more than one active interface of the router at a time.
On the WAN interface I've added two Secondary Public IP's (from the same subnet) to use for NAT to internal hosts. Is this a common scenario or is there a more typical way to acheive this. This assumes, I do not want to put a Public IP on an interface on the internal server.
interface GigabitEthernet0/1
description WAN$ETH-WAN$
ip address x.x.x.1 255.255.255.240
ip address x.x.x.2 255.255.255.240 secondary
ip address x.x.x.3 255.255.255.240 secondary
[code]....
View 2 Replies
View Related
Jun 22, 2011
How can you figure out your primary and secondary DNS? I have a linksys router, and i'm trying to figure out what my primary and secondary DNS are so i can hook up my PS3 online.
View 1 Replies
View Related
Feb 7, 2013
Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for staticallymapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there a workaround for this kind of scenario?
View 5 Replies
View Related
Oct 3, 2011
Is it possible to setup a Backup GRE Tunnel using a Seconadary IP Address on the WAN interface. The router is a Cisco 871.
View 33 Replies
View Related
Jun 13, 2012
I would like to know if is possible to configure a secondary IP address in a 5505 interface ??
View 1 Replies
View Related
Jun 5, 2013
I've just had to rebuild my ACS appliance with new hardrives but I am unable to register the devices to each I get a system error. I thought it may have had something to do with the rebuilt device not being joined tothe domain but it has now been joined albeit using a different ad account, but still cannot register to primary.
View 11 Replies
View Related
Mar 23, 2012
I've got an 1811 router running 15.4 IOS and a cable modem with 5 static IP's attached to Fa0. I would like to dedicate one of those IP's to a dedicated internal subnet (10.0.30.0/24) but I am not sure how to accomplish this?
What would be the best method to accomplish this? Unsure of where to begin..
View 3 Replies
View Related
Jan 8, 2012
I currently have the managment interface set to my internal network using our DHCP server. We also provide another interface to WLAN for a chartity organization. Their interface and WLAN are locked out of our network (no routes, no nothing) with only VLAN tagging sending out over our backup internet connection. I have been tasked to take over their DHCP scope (255.255.240.0). I added the scope into the 4404 just fine but can't seem to assign it. So, for the sake of argument lets say:
Interface:
management VLAN 10 10.10.10.10 DHCP = 10.10.10.15
charity VLAN 20 192.168.160.2 DHCP = ????
[Code].....
If I tell the charity interface to use 192.168.160.2 for the dhcp scope it errors out. I also tried the DHCP override in the WLAN with no success. If I set either DHCP option for the charity to aim at the managment interface it does nothing as it can't find it..
View 2 Replies
View Related
Nov 16, 2012
I am attemtping to install new ssl certs on our 5.3 cluster. I was able to generate the CSR on the Primary host. When I attempt to generate the csr on the secondary host, I receive the following error:
This System Failure occurred: Error while remotely calling Primary to create: com.cisco.nm.acs.im.certificate.CertificateRequest Object{ request=[B@144cead, privateKey=null, encryptedPrivateKeyPassword=[B@5ce155, certificateSubject=CN=xxxx.xxxxxx.net, keyLength=2048, digest=SHA1, timeStamp=null, friendlyName=null, guid=[B@1cd99ca, description=null, name=xxxx.xxxx.net, version=0, id=0}. Your changes have not been saved.Click OK to return to the list page.
Both hosts are running identical versions:
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.3.0.40
Internal Build ID : B.839
View 1 Replies
View Related
Aug 27, 2012
We are in the process of implementing secondary ISP to our ASA firewall and We would like to run both ISPs in parallel so we can test until we finally cutover?
View 2 Replies
View Related
Oct 15, 2012
Have a controller based depolyment with (2) 5508s and an 1121 ACS appliance running 5.1 code. Controllers are setup identically and we are radius authenticating users to AD via the ACS. Everything works great on the primary controller, but when I test failover to the secondary controller, my authentication fails and I get the following error message in my ACS logs:
12126 EAP-FAST cryptobinding verification passed
12147 Machine Authentication is disabled
12161 Cannot provision Authorization PAC when the stateless session resume is disabled
12106 EAP-FAST authentication phase finished successfully
11503 Prepared EAP-Success
View 1 Replies
View Related
Dec 18, 2011
We have an ASA 5520 in production with a brand new internet feed we've just finished installing. We connect to our corporate office via a VPLS. In our corporate office we have a Cisco 1841 (I think that was the year it's made! ) with an ADSL feed with a static IP address plugged in directly.
We have a user VPN that we integrate with our user directory on the router, which connects via the ADSL. The users get an IP addres at the tail end of the 172.31.14.0/24 range, which is the same as one of our corporate subnets (we just reserver a few address, we don't have many VPN users).
Both the ASA and the router connect to each other (via the VPLS) on the internal subnet 10.255.255.0/24.
-The ASA is 10.255.255.1
-The router is 10.255.255.100
Currently the default route for the corporate office goes out the Dialer interface for the ADSL, which means that's where our internet goes out there (all proxying aside, we'll leave that out of this one). ip route 0.0.0.0 0.0.0.0 Dialer1
We'd like to change that default route to go via the VPLS to the ASA, and then out to the internet using the new feed. All the ACLs and rules are in place at both ends for this to work. If I change the default route on the router to: ip route 0.0.0.0 0.0.0.0 10.255.255.1Then it works as expected.
The problem is that then the user VPN breaks. I had hoped I wouldn't have to do any configuration on this but it looks to be so. I'm guessing that the VPN packets are coming in via the ADSL and back out via the new internet. It would be simple if the remote client had a static IP address as I could put in a static route for each user, but it's always going to be dynamic.
What do I need to put in place to get this working? I thought maybe I could leave the default route via the ADSL and put in a next hop rule to go via the VPLS for the specific subnets that need the new internet, i.e. have a subnet specific default gateway, is this possible? (I gave it a go but it didn't seem to work, I think I didn't implement it properly though as it still went via the ADSL, maybe because there is a nat route-map as well?).
View 3 Replies
View Related
Jan 22, 2012
I have a question about the number of Cisco licenses needed in two cases for ACS 5.3 Virtual Machine.One primary + One secondary : Just one license for all or one license for the primary + another one for the secondary ?One primary + several secondaries : Just one license for all or one license for the primary + just one license for all the secondaries ?
View 1 Replies
View Related
Apr 25, 2011
I have been having problems when trying to host servers on games, etc.I have 2 routers. A modem router, which is a Thomson router. That is the main one. It has a wire connecting from it, to a D-Link router that is near my Computer, and my brother's one. Then that D-Link router has 2 wires from each port, to mine, and my brother's computer.So, I am trying to host games.I didn't connect to the Thomson one, which is also wireless. I am connected to the wired one (D-Link). When I try to host while connected to it, my brother, and other people can't find the server. My brother and me can find it on LAN, but not Internet.But when I disconnect from the Wired, and connect to the Thomson wireless one, and then when I host, I can find it on INTERNET. Even my brother can. He can connect to it perfectly.
I do not want to connect to the wireless, because then it will cause lag spikes every 5 minutes.So, when I disconnect from the wireless, and connect to the wire, I went into the CMD, and typed in ipconfig. I found out that the Default Gteway is the D-Link IP.When I connect to the wireless, and disconnect the wired, I went into CMD, and then the Default Gateway is the Thomson one, which is the main router.So what I want to do, is use the D-Link router, and that router will have the same IP as my thomson one, so that I can host perfectly with no lag spikes, and using a wired connection.
View 19 Replies
View Related
Oct 25, 2012
We have just setup a new RV042G firewall. The customer has multiple public IP addresses and we need to allow RDP access for at least 2 of the Public IP addresses. I only see a way to open ports for the one IP assisgned to the WAN. I temporarily did a one to one NAT for the second public IP to NAT to the private IP but that pretty much opens everything which is not ideal from a security standpoint. How can we setup multiple IP addresses on this firewall?
View 4 Replies
View Related
Sep 20, 2012
We are using Cisco VPN Client 5.0.07.0290 to connect to our servers. We have Sonicwall NSA2400 FW and we have 2 ISPs. We have configured the Load balancing on Firewall in 'Spill-Over' mode.
So whenever the 1st ISP Line is on full load it will automatically moves the users on 2nd line.The problem we are facing here is users who are getting IP from 1st ISP Line they are smoothly able to connect to Cisco VPN client but the users who are getting IP from 2nd ISP Line they are not able to connect to Cisco VPN Client. This is really annoying as everyone should be able to connect.
View 8 Replies
View Related
Jun 16, 2011
it is possible de use two servers ACS 5.2 (primary and secondary) in active/ active? or just in active/ passive?
View 3 Replies
View Related
Dec 6, 2011
I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
This System Failure occurred: Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
View 3 Replies
View Related
Mar 3, 2013
I have two ASA 5520s in Active/Standby. I try and test this quartely to ensure it is working correctly. Everything works fine, except I have an issue with one interface. When doing a show failover, it shows the interface as failed on the secondary unit, and I am not sure why. It shows it as normal on the primary.
This host: Primary - Active
Active time: 9277305 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(4)) status (Up Sys)
Interface WaterworksCanopy (192.x.x.x): Normal
[code]....
View 15 Replies
View Related
Jun 11, 2012
Today I ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while I had the primary down. All was fine until I brought the primary back up and tried to re-register the secondary to it. I get the following error message: I went into System Administration >Operations >Distributed System Management on each and it showed the other device as deregestered, tried to promote from there but it failed too, so I deleted them and tried to register the secondary again. After that didn't work I tried rebooting both but that didn't work either. I know the user/pass I'm using is good and I've tried using both the IP address and the hostname.
ACS/admin# sh app version acs
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.5Internal Build ID : B.839Patches :5-3-0-40-5
View 3 Replies
View Related
May 22, 2013
I have an MPLS network router(Router1) and an internet router(Internet1) at a site of mine(Site1). the MPLS router sends all unknown traffic out the internet router. Router1 is the default gateway for all hosts and directs the traffic.I also have another network at an alternate site (Site2) on the same mpls network also with an internet egress. It is composed of an MPLS router (router2) and an internet router (Internet2).I would like Router1 to send internet bound traffic out Internet2 if Internet1 is down. Basically the statement on Router1 for the unknown traffice is ip route 0.0.0.0 0.0.0.0 172.31.1.254I have never heard of IP SLA before but it seems to be the best method for this situation.
View 2 Replies
View Related
Apr 15, 2012
I have 6509 with dual sups, the secondary sup has failed and I am not able to bring it up even after reboot. the state says unknown/other. What that state" unknown" means?. I could not find any documentation about this state. [code]
View 5 Replies
View Related
