In the course of typical network administration, it is common to
attempt to ping the Cisco Secure Access Control Server (ACS) Solution Engine in
order to determine if the appliance is up and reachable. However, these pings
fail due to enhanced security restrictions in place on the appliance.
There are no specific requirements for this document.
The information in this document is based on the Cisco Secure ACS
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
The Cisco Secure ACS Solution Engine, also known as the Cisco Secure
ACS Appliance, is based on Microsoft Windows, and therefore is vulnerable to
PMTUD attacks and to attacks based on ICMP "hard" error messages. Such attacks
are detailed in the
ICMP Messages Can Cause Denial of Service security advisory.
Recent versions of the Cisco Secure ACS Solution Engine ship with Cisco
Security Agent (CSA), which is configured to block all incoming ICMP messages.
Under this situation, the Cisco Secure ACS Solution Engine is not vulnerable to
any of the attacks that this document describes.
The Cisco Secure ACS Solution Engine does not respond to pings like a
normal, Windows-based Cisco Secure ACS server.
The failure of the Cisco Secure ACS Solution Engine to respond to pings
is the result of the rule set applied to the CSA installed on the appliance.
In order to allow ping on your ACS Solution Engine, you need to disable
the CSA. This can be done via the System Configuration > Appliance
Configuration menu. There is an option to disable or enable the CSA. If you
disable this agent, you can then ping the appliance.
Note: Disable CSA only if you want to verify the pings to work.
Instead of monitoring the status of the appliance with the use of ICMP,
you can verify it is up and reachable when you connect to the appliance on TCP
port 2002. Telnet to the appliance on port 2002 and press
Enter. You should see the error:
500 Internal Server Error
This is an example of this procedure performed at the Windows command
C:\>telnet 172.18.124.101 2002 <enter>
HTTP/1.0 500 Internal Server Error
Connection to host lost.
Additionally, you can download several free TCP ping-type utilities
from the Internet that attempt to connect to a host on any TCP port and report
back if the host responds.