Migration Guide for the Cisco Secure Access Control System 5.0
Troubleshooting
Downloads: This chapterpdf (PDF - 119.0KB) The complete bookPDF (PDF - 3.44MB) | Feedback

Troubleshooting

Table Of Contents

Troubleshooting

Unable to Restore the ACS 4.x Database on the Migration Machine

Remote Desktop Connection Not Supported for the Migration Utility

Migrating Objects from Large-Scale Databases

Import Phase Only Adds Partial Data

ACS 5.0 Machine Does Not Respond After Import

Resolving Migration Issues

Overlapping IP Addresses

Untranslatable IP Addresses

Network Devices with more than 40 IP Addresses

Invalid TACACS+ Shell Privilege Level

TACACS+ Custom Attributes are not Migrated

Shell Command Authorization Set Not Associated with User or Group

Reporting Issues to the Cisco TAC


Troubleshooting


This chapter describes common problems associated with the ACS 5.0 Migration Utility:

Unable to Restore the ACS 4.x Database on the Migration Machine

Remote Desktop Connection Not Supported for the Migration Utility

Migrating Objects from Large-Scale Databases

Import Phase Only Adds Partial Data

ACS 5.0 Machine Does Not Respond After Import

Resolving Migration Issues

Overlapping IP Addresses

Untranslatable IP Addresses

Network Devices with more than 40 IP Addresses

Invalid TACACS+ Shell Privilege Level

TACACS+ Custom Attributes are not Migrated

Shell Command Authorization Set Not Associated with User or Group

Reporting Issues to the Cisco TAC

Unable to Restore the ACS 4.x Database on the Migration Machine

Condition

Unable to restore the ACS 4.x database on the migration machine.

Action

Verify and ensure that the ACS 4.x production machine (for which a backup was created) and the ACS 4.x migration machine (on which backup was restored) have identical versions of the system software. The problem might be caused by a missing patch level.

Remote Desktop Connection Not Supported for the Migration Utility

Condition

You cannot use Remote Desktop Connection (RDC) to run the Migration Utility.

Action

Use Virtual Network Computing (VNC) to run the Migration Utility on the migration machine.

Migrating Objects from Large-Scale Databases

You might encounter several issues when you attempt to migrate objects from a large database.

Condition

Performance problems can occur when you attempt to migrate a large number of objects from an ACS 4.x database.

Action

Cisco recommends that you run the Migration Utility for each object group. For example, from the Migration Utility, enter 2 to choose option 2, AllUsersObjects. In this example, you would only run the Migration Utility against the Users object.

Import Phase Only Adds Partial Data

Condition

Import only adds partial data.

Action

1. Ensure that:

Migration interface is enabled on the ACS 5.0 server

Network connections are enabled

ACS 5.0 services are up and running

You use a compatible ACS 5.0 license

2. Restore the ACS 5.0 database to its previous version of the database.

3. Restart the Migration Utility.

4. Rerun the Import phase.

ACS 5.0 Machine Does Not Respond After Import

Condition

ACS 5.0 machine does not respond after import.

Action

Restart ACS 5.0.

Resolving Migration Issues

These sections discuss manual methods for resolving migration issues.

Overlapping IP Addresses

The Analysis phase might report overlapping IP addresses for network devices in ACS 4.x. Example B-1 shows that the IP address in the AA network device overlaps with the IP address in the BB network device, and each network device belongs to a different NDG. From the ACS 4.x perspective, these are two separate objects.

Example B-1 Overlapping IP Addresses

The following Network Devices are overlapped:
Network device: AA, IP Address = 23.8.23.*, 45.67.*.8, protocol =RADIUS, Group= HR
Network device: BB, IP Address = 45.*.6.8, 1.2.3.4, protocol =TACACS, Group = Admin 

However, ACS 5.0 defines TACACS+ and RADIUS as one object.

The solution is to use the ACS 4.x application to redefine the network devices to have identical IP addresses and ensure that they belong to the same NDG. Example B-2 illustrates the resolution.

Example B-2 Resolved IP Addresses

Network device: CC, IP Address = 1.2.3.*, protocol =RADIUS, Group= HR
Network device: DD, IP Address = 1.2.3.*, protocol =TACACS, Group = HR

In this example, you consolidate the RADIUS and TACACS+ network devices; the IP addresses are identical and both network devices are part of the same NDG. You can export CC and DD as one object named CC+DD.

Untranslatable IP Addresses

The IP address definition in ACS 4.x can include wildcards and ranges. In ACS 5.0, the IP address definition is in the form of a subnet mask. The analysis phase identifies network groups with untranslatable IP addresses. You can use the ACS 4.x application to modify the IP address ranges to an ACS 5.0 subnet mask definition. However, not all combinations of IP addresses can be translated into an ACS 5.0 subnet mask definition. For example:

Network device: AA, IP Address =23.8.23.12-221 protocol =RADIUS, Group= HR

In this example, the IP address contains a range, 12-221, and cannot be translated into a subnet mask definition.

You cannot migrate IP addresses that contain wildcards (*) or ranges (x-y) in the middle of the address. You cannot migrate the following pattern of IP addresses:

1.*.2.*,

*.*.*.1,

*.*.*.*

1.2.3.13-17

The following patterns of IP addresses can be translated:

1.*.*.*

1.2.*.*

1.2.3.*


Note Migration supports IP ranges from 0 to 255.


Network Devices with more than 40 IP Addresses

Condition

Network devices in ACS 4.x have more than 40 IP addresses. ACS 5.0 does not migrate network devices that have more than 40 IP addresses.

Action

Use the ACS 4.x application on the migration machine and edit the network device settings. To do this:


Step 1 Choose Network Configuration.

Step 2 Select the network device group to which the network device belongs.

Step 3 Select the network device.

Step 4 Edit the AAA Client IP Address field. Ensure that the AAA client has 40 or fewer IP addresses.

Step 5 Click Submit + Apply.


Rerun the Migration Utility (Extract and Analyze, Export, and Import phases).

Invalid TACACS+ Shell Privilege Level

Condition

TACACS+ (T+) shell privilege level not in the range 0 to 15.

Action

Use the ACS 4.x application on the migration machine and edit T+ settings. Ensure that T+ privilege level is in the range 0 to 15.

To edit the T+ settings at the user level:


Step 1 Choose User Setup.

Step 2 Select the user. The Edit screen appears.

Step 3 Check the Privilege level check box of the TACACS+ Settings table and enter a value between 0 and 15.

Step 4 Click Submit.


To edit the T+ settings at the group level:


Step 1 Choose Group Setup.

Step 2 Select the group and click Edit Settings.

Step 3 Check the Privilege level check box of the TACACS+ Settings table and enter a value between 0 and 15.

Step 4 Click Submit + Restart.


Rerun the Migration Utility (Extract and Analyze, Export, and Import phases).

TACACS+ Custom Attributes are not Migrated

Condition

T+ custom attributes are defined for users and groups in ACS 4.x. ACS 5.0 does not support TACACS+ custom attributes.

Action

No action is required. All the other T+ Shell Exec attributes that are defined for users and groups are migrated. T+ custom attributes are dropped.

Shell Command Authorization Set Not Associated with User or Group

Condition

Shell Command Authorization Sets are assigned on network devices or network device groups in ACS 4.x. After migration, the association between the Shell Command Authorization Set and the User or Group is lost.

Action

Use the ACS 5.0 application to:

1. Access the migrated command sets. See Command Set Migration for more information.

2. Create a policy for the users and identity groups.

Refer to the User Guide for the Cisco Secure Access Control System 5.0 for more information on creating policies.

Reporting Issues to the Cisco TAC


Note Cisco Technical Support for ACS is limited to standard Cisco product installation, configuration, and operational troubleshooting. Questions and support issues related to ACS 4.x to 5.1 migration are not covered by Cisco Technical Support.
The Cisco Technical Assistance Center (TAC) does not offer any support for migrating from Cisco Secure ACS for Windows or Solutions Engine to ACS 5.x. Contact your account team for assistance.


Include information about the following when you report a case to the Cisco Technical Assistance Center (TAC):

Backup of the ACS 4.x database (.dmp file)

Migration logfile (...migration/bin/migration.log)

All the reports in the config folder (...migration/config)

ACS 5.0 logfiles

ACS 5.0 build number

ACS 4.x build number