Table Of Contents
Troubleshooting and FAQs
Troubleshooting ACS View
Checking Processes After Installation
Changing Process Status
Restarting the ACS View Server
Troubleshooting Report Generation
Troubleshooting Data Collection
Obtaining Debug Information
Enabling Component Debugging
Downloading or Viewing Server Logs
Getting Debug Information from Server Logs
Re-imaging the ACS View Application
Required Tools and Equipment
Re-imaging Process
Resetting Administrator Password
FAQs
Data Collection
ACS Server Configuration
Reports
Alerts
Licensing
Admin Activities
Troubleshooting and FAQs
This chapter provides information to help you troubleshoot issues with ACS View and lists answers to FAQs. It contains:
•
Troubleshooting ACS View
•FAQs
Troubleshooting ACS View
This section provides the following troubleshooting information for ACS View.
•Checking Processes After Installation
•Changing Process Status
•Restarting the ACS View Server
•Troubleshooting Report Generation
•Troubleshooting Data Collection
•Obtaining Debug Information
•Re-imaging the ACS View Application
•Resetting Administrator Password
Checking Processes After Installation
The background processes that run in ACS View include:
•Alert Manager
•Collector
•Job Manager
•AppServer
•DBServer
After logging in to ACS View through the GUI, check if all the processes are up and running.
To check the status of the processes:
Step 1 Choose System Administration > System Reports > Process Status.
The Process Status page appears as shown in Figure 10-1.
Figure 10-1 Process Status
Step 2 The Process Status page lists the processes and their states as shown in Figure 10-1.
Note When any process fails, the system brings it back up in 100 seconds. However, you can start or stop individual processes through the CLI for troubleshooting purposes.
See Troubleshooting ACS View.
Changing Process Status
You can start or stop individual ACS View processes from the CLI.
To restart all processes, enter:
To restart a single process, enter:
process stop process_name
process start process_name
Note The process start all command may at times span more than one instance of the same process. We recommend, therefore, that to restart all processes, you enter:
process stop all
process start AppServer
By using the process start AppServer command, you can restart all processes related to the ACS View server.
To check the process status, enter:
process status
Note When you enter process status, ACS view displays the summary of all processes. However, you can ignore the summary details of the system processes, which appears following System <hostname> in the CLI.
See Troubleshooting ACS View.
Restarting the ACS View Server
You must restart the ACS View server after you:
•Install any patch installation or update for the changes to take effect.
•Change the server date and time zone.
To restart the ACS View server from the GUI:
Step 1 Choose System Administration > System Reports > Process Status.
The Process Status page appears as shown in Figure 10-1.
Step 2 Click Restart ACS View Server.
To restart ACS View from the CLI:
Step 1 Log in to the CLI by using your administrator credentials. See Accessing the ACS View CLI, page 9-6.
Step 2 Enter process stop all.
All the ACS View processes stop.
Step 3 Enter process start all.
All the ACS View processes start.
Note You must restart the ACS View server after you update the self-signed certificate.
Troubleshooting Report Generation
Table 10-1 lists scenarios involving possible failures when generating reports with ACS View.
Table 10-1 Troubleshooting Report Generation
If this issue occurs...
|
Potential Resolution
|
Refer...
|
Incorrect data in:
•Details and Summary reports.
•Drill-down reports.
|
Verify if the list of mandatory attributes in ACS is:
•Configured for ACS View.
•Received in ACS View.
|
•Mandatory ACS Attributes for ACS View, page A-1
•Obtaining ACS Server Status, page 3-13
|
Check the corresponding ACS logs and CSV files for data in the specified duration.
|
From ACS Windows, click Reports and Activity; then choose and click the report from the available categories.
|
Check if syslog messages were dropped; perform an on-demand data collection.
|
Configuring ACS View for Data Collection, page 3-13
|
If the Summary report differs from ACS data, synchronize data aggregation by running the database update command from the CLI.
|
database update, page B-14
|
Some report fields have no values.
|
Check if you have enabled data collection in ACS for
•Syslog.
•package.cab.
|
•Configuring ACS View in ACS for Syslog, page 3-13
•Enabling CSV Logging in ACS, page 3-14
|
Reports have no data.
|
Check if you have enabled data collection in ACS for
•Syslog.
•package.cab.
|
•Configuring ACS View in ACS for Syslog, page 3-13
•Enabling CSV Logging in ACS, page 3-14
|
In the case of data collection through syslog, verify the log setup in ACS for:
•IP address of the ACS View server.
•Port number (514).
|
From ACS Windows, choose System Configuration > Logging > Logging Configuration.
|
Synchronize data aggregation by running the database update command from the CLI.
|
database update, page B-14
|
See Troubleshooting ACS View.
Troubleshooting Data Collection
Table 10-2 lists scenarios involving possible failures when:
•Downloading package.cab
•Uploading package.cab
Table 10-2 Troubleshooting Data Collection
Reason for failure
|
Potential Resolution
|
Refer...
|
Downloading package.cab
|
ACS servers are down or not reachable when the job runs.
|
1. Restart the ACS server and check if the ACS processes are up and running.
2. Perform an on-demand package.cab download again.
|
Downloading package.cab, page 3-15
|
ACS Admin user name or password is incorrect.
|
Check if the administrator username and password configured in ACS matches the credentials that you entered when adding the ACS server to ACS View.
If the data does not match:
1. Log in to ACS View.
2. Choose System Administration > ACS Servers Configuration > Server List.
3. From the ACS server list, choose the ACS server and click Edit.
4. Update the admin username and password fields and click Save.
Now, check if on-demand or scheduled data collection runs successfully.
|
From System Administration > ACS Servers Configuration > Data Collection page, verify the status in the Data Collection Status area.
|
ACS administrator account is locked or password is expired (based on Administrator password policy).
|
Check if you can login using your existing account into ACS.If you cannot login, ensure that you create a new administrator account in ACS through the console.
Then,
1. Log in to ACS View.
2. Choose System Administration > ACS Servers Configuration > Server List.
3. Choose the ACS server from the list and click Edit.
4. Update the administrator username and password fields and click Save.
Now, check if on-demand or scheduled data collection runs successfully.
|
•User Guide for Cisco Secure Access Control Server
•From System Administration > ACS Servers Configuration > Data Collection page, verify the status in the Data Collection Status area.
|
The ACS administrator does not have the right privileges.
|
Verify if you have configured Support operations in ACS.
1. Log in to ACS.
2. Choose Administration Control, and click the particular admin user:
1. In the System Configuration area, check the Support Operations check box.
2. Click Submit.
Now, log in to ACS View and check if on-demand or scheduled data collection runs successfully.
|
Enabling Administrator Rights in ACS for ACS View, page 3-10
|
Access Mode changed in ACS (from HTTP to HTTPS or vice-versa).
|
Check the status of Access mode in ACS:
1. Login to ACS > Administration Control > Access Policy
2. Check the Use HTTPS Transport for Administration Access check box.
If the Access Mode in ACS has changed:
1. Log in to ACS View.
2. Choose System Administration > ACS Servers Configuration > Server List.
3. Choose the ACS server from the list and click Edit.
4. Set the Access Mode (HTTP or HTTPS) as configured in ACS and click Save.
Now, check if on-demand or scheduled data collection runs successfully.
|
From System Administration > ACS Servers Configuration > Data Collection page, verify the status in the Data Collection Status area.
|
The System Configurations > Support page in ACS is locked because another user is accessing the page in ACS.
|
Log in to ACS and check if you can access the support page. When you can access the page, run an on-demand data collection job to synchronize the data.
|
User Guide for Cisco Secure Access Control Server 4.2
|
ACS View disk space is full.
|
Check disk-space utilization from the System Administration > Server Management > Summary page. If required, trigger an on-demand purge.
|
Database Purge, page 8-16
|
The AAA-server attribute is missing in the CSV log.
|
1. Log in to the ACS server.
2. Select the AAA-server attribute for CSV logging.
Now, check if on-demand or scheduled data collection runs successfully.
|
•Mandatory ACS Attributes for ACS View, page A-1
•From System Administration > ACS Servers Configuration > Data Collection page, verify the status in the Data Collection Status area.
|
A Job may be already running (Concurrency issue).
|
Download, upload, or schedule package.cab from the ACS server only after ACS View completes the current download, upload or scheduled job.
|
Configuring ACS View for Data Collection, page 3-13
|
The package.cab extraction failed.
|
File may be corrupt or the connection terminated. Try uploading again.
|
Configuring ACS View for Data Collection, page 3-13
|
Uploading package.cab
|
Invalid package.cab uploaded.
|
Upload package.cab only to the ACS server from which you downloaded it.
|
•Uploading package.cab, page 3-17
|
The AAA-server attribute is missing.
|
The uploaded package.cab might not have the AAA server attribute in logs.
|
•Uploading package.cab, page 3-17
|
ACS View disk space is full.
|
Check disk-space utilization from the System Administration > Server Management > Summary page. If required, trigger an on-demand purge.
|
Database Purge, page 8-16
|
The package.cab extraction failed.
|
File may be corrupt or the connection terminated. Try uploading again.
|
Uploading package.cab, page 3-17
|
Obtaining Debug Information
ACS View offers various server logs that contain debug information for ACS View. You must first enable event logging for the server to log events. You can then download or view the log file containing debug information. You might need to send these log files to Cisco Technical Assistance Centre (TAC) for addressing your support queries.
This section describes:
•Enabling Component Debugging
•Downloading or Viewing Server Logs
•Getting Debug Information from Server Logs
Enabling Component Debugging
To enable event logging for ACS View components:
Step 1 Choose System Administration > Server Management > Server Logs.
The View Logs page appears as shown in Figure 10-2.
Figure 10-2 Server Logs
Step 2 Click the Enable radio button for the corresponding component logs for which you want to enable debug mode.
Note If you do not wish to log events for a particular component, you can disable logging for that component.
Step 3 Click Save.
See Troubleshooting ACS View.
Downloading or Viewing Server Logs
To download or view the server logs:
Step 1 Choose System Administration > Server Management > Server Logs.
The View Logs page appears as shown in Figure 10-2. The Server Logs box lists the available log files.
Step 2 Choose the log files that you want to download or view.
Step 3 Click Download to download the log file or View to view it.
See Troubleshooting ACS View.
Getting Debug Information from Server Logs
To get the debug information from server logs:
Step 1 Choose System Administration > Server Management > Server Logs.
The Server Logs area lists the available log files.
Step 2 Click Get Debug Info.
A File Download popup appears.
Step 3 Click Open to view the file from the server, or Save As to save a copy of the file in your machine.
See Troubleshooting ACS View.
Re-imaging the ACS View Application
Failure of application software due to corruption as well as failure of hardware components can lead to a catastrophic system crash which would force you to restore the application on the appliance. Based on the nature of the system failure (application software corruption or hardware component failure), the appliance will have to be re-imaged to the system-configuration state or the out-of-the-box state.
See:
•Required Tools and Equipment
•Re-imaging Process
Required Tools and Equipment
To re-image your ACS View appliance, you need:
•ACS View Restore CD-ROM
•Peripherals: Serial console; or, a keyboard and monitor.
Re-imaging Process
To re-image your appliance:
Step 1 Power up your appliance.
Step 2 Insert the ACS View Recovery CD to the CD drive.
The appliance displays the Recovery CD message:
Welcome to Cisco Secure ACS View 4.0 Recovery - Cisco ADE 2120
To boot from hard disk press <Enter>
[1] Cisco Secure ACS View 4.0 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS View 4.0 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>.
Note Enter:
•1 to install the application through keyboard and monitor.
•2 to install the application through an attached serial console.
•3 to reset the administrator password through an attached keyboard and mouse.
•4 to reset the administrator password through an attached serial console.
Step 3 Enter the bootup option and press Enter to re-image the application.
See Troubleshooting ACS View.
Resetting Administrator Password
You can reset the administrator password in ACS View. To change the administrator password:
Step 1 Power up your appliance.
Step 2 Insert the ACS View Recovery CD to the CD drive.
The appliance displays the Recovery CD message:
Welcome to Cisco Secure ACS View 4.0 Recovery - Cisco ADE 2120
To boot from hard disk press <Enter>
[1] Cisco Secure ACS View 4.0 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS View 4.0 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>.
Step 3 Enter 3 to reset administrator password through an attached keyboard and mouse. If you are using a serial console port, enter 4.
Step 4 Enter the information as described in Table 10-3.
Table 10-3 Administrator Password Reset Parameters
Parameter
|
Description
|
Admin username
|
Enter the number of the administrator whose password that you want to reset.
|
Password
|
Enter the new password for the administrator.
|
Verify password
|
Enter the password again.
|
Save change & Reboot
|
Enter Y to save, otherwise N.
|
Following is the sample output of an administrator password reset:
Enter number of admin for password recovery:1
Save change&reeboot? [Y/N]:
See Troubleshooting ACS View.
FAQs
This section lists answers to FAQs that you might have about ACS View. The questions pertain to:
•Data Collection
•ACS Server Configuration
•Reports
•Alerts
•Licensing
•Admin Activities
Data Collection
Q. If ACS View is down for two days, should I synchronize missing data?
A. You do not need to manually synchronize servers for missing data. When ACS View restarts after a downtime, a startup job automatically retrieves the missing data from one or more ACS servers and updates the ACS View database.
Q. What is the maximum size of the package.cab file that I can upload?
A. There is no limit on the size of the package.cab file. The recommended file size, however, in a:
•LAN link—50 MB
•WAN link—10 MB
Q. Can I upload file types other than .cab?
A. No, ACS View only supports .cab files.
Q. Can I download the package.cab file from more than one ACS server?
A. Yes, you can download the package.cab file from multiple ACS servers.
Q. Under what conditions are logs dropped?
A. Logs are dropped if:
•The CSV log file does not contain:
•Account session time (in RADIUS Accounting)
•Elapsed time (in TACACS+ Accounting)
•In such cases, the stop packet cannot update its start time for that particular accounting session.
•AAA-Server attribute is missing.
Q. For how many days does the Data Collection Status page display information?
A. The Data Collection Status page displays information for the most recent two days of the jobs performed for is listed in the Data Collection Status page.
Q. Why is some data from the ACS server not updated?
A. Verify if you have disabled a scheduled data collection job:
a. Choose System Administration > ACS Servers Configuration > Data Collection.
b. Check if the Scheduling field is disabled; if so, default schedule synchronization does not occur.
c. To enable synchronization, provide the Scheduled Time, and click Schedule.
New data or data dropped via syslog is downloaded.
Q. Why does ACS View not initiate an upload or a download of package.cab from ACS servers?
A. Verify if any ACS View processes are down:
a. Check if any process is down from the System Administration > System Reports > Process Status page.
b. If so, bring up the process by clicking Restart ACS View Server in the System Administration > Process Status page.
To restart the ACS View server through the command-line interface (CLI):
a. Log in to ACS View by using your administrator credentials, and enter process stop all.
All the ACS View processes stop.
b. Enter process start all.
All the ACS View processes start.
Check if upload or download of package.cab is initiated.
Q. Why does an on-demand or a scheduled download of package.cab fail?
A. An on-demand or a scheduled download of package.cab may fail because of one or more of these issues:
•ACS server is not reachable.
•ACS View application is down.
•Another user is using the same ACS server to download package.cab.
•You added an ACS server in HTTP mode in ACS View and later enabled HTTPS on that ACS server, or vice-versa.
•A user is accessing the GUI support page (System Configuration > Support) in ACS.
Q. Why and when should I download the package.cab files?
A. You should download the package.cab files when ACS View fails to collect them from ACS servers as part of the scheduled data collection, which happens at 12:01 a.m. by default. You can also download the package.cab files if you want to use the latest available logs in ACS to generate reports.
Q. Why should I upload the package.cab files to the ACS View database?
A. You can upload the package.cab files to the ACS View database if you want to use the data in the package.cab file, which you have downloaded from the ACS server earlier, to generate reports.
Q. I receive the message package.cab is corrupted, and the Data Collection job fails. Why is this?
A. You get this error message when another user is downloading package.cab from the same ACS server.
Q. Does ACS View collect data by using syslog if I delete the remote logging server from ACS?
A. If you delete the remote logging server in ACS or change it to be a standalone ACS server, ACS View collects data by using syslog from all the standalone ACS servers that are configured with that deleted remote logging server.
Q. Where can I check the syslog status for each log type for a particular ACS server?
A. You can find the syslog status for all logs by using the ACS View GUI:
a. Choose System Administration > ACS Servers > Server List.
b. In the Server List page, click the radio button corresponding to a particular ACS server.
c. Click Get Status.
The Server Connectivity page appears with the required information.
Q. Why are syslog messages dropped even when they are from registered ACS servers?
A. Syslog messages from registered ACS servers are dropped if the:
•Message violates the RFC definition.
•AAA-Server attribute is not available in the original message.
•AAA-Server attribute does not have a value.
Q. How can I start the syslog collector process?
A. To start syslog collector:
•Log in to the ACS View CLI by using your administrator credentials and enter process start collector.
•Click the Restart ACS View Server button in the System Administration > System Reports > Process Status page.
Q. Can I disable the data collection by using syslog?
A. Yes. You can disable the data collection using syslog by:
•Not configuring your ACS View server as a syslog server, in ACS
•Logging in to the ACS View CLI by using your administrator credentials and enter process stop collector.
Q. What happens if I disable the data collection by using syslog?
A. If you disable the data collection by using syslog, ACS View will only receive log data from ACS servers through the scheduled download of the package.cab files, which happens once daily. This results in generating delayed Alerts and, in some cases, not generating any Alerts.
Q. Can I restart the syslog collector process?
A. Yes, you can stop and start the syslog collector by using the process CLI commands.
Q. I am not able to start the syslog collector process. Why?
A. The syslog collector depends on the DBServer; so:
a. Choose System Administration > Server Management > Server Logs.
b. Choose System Administration > Server Management > Server Logs page, and review the monit_process.log to check whether the AppServer is running.
Q. Why does ACS View not receive any syslog data?
A. Check if:
•You have configured ACS to redirect syslog to ACS View.
•All the fields for which you provided values when registering ACS with ACS View are in sync with the ACS server.
•ACS View has a valid license.
Q. Why is syslog message rejected even from a registered ACS server?
A. Check if the:
•DBServer service provider is running when you register an ACS server, or edit the ACS server entry.
•Syslog message is a duplicate of a message sent from the ACS server configured with the registered remote logging ACS server.
Q. When is a syslog message that is received from an ACS server discarded?
A. A syslog message from an ACS server is discarded if the:
•ACS server is not registered with ACS View.
•AAA-Server attribute is not available in any of the logs.
Q. Why does an incorrect timestamp appear for log data in the database?
A. An incorrect timestamp occurs when the data provided for any or all of the following fields in ACS View conflicts with the settings that you have given in ACS:
•Time zone.
•Date format.
•Syslog time.
Q. Error appears when I add an ACS server. Why does this happen?
A. You get:
•An error has occurred. Invalid IP address, Incorrect User Credentials, Protocol Mismatch or IP Filter Configured.
Verify your user credentials, IP Address, and access mode.
•An error has occurred. Invalid IP Address.
Verify the IP address that you provided. The IP address must not contain any special characters.
•An error has occurred. Admin Password required.
Check if you have provided the administrator password.
•An error has occurred. Unable to add ACS Server. Server Name 'XXX' already exists.
Check if you have already added an ACS server to ACS View with the same server name. You cannot add an ACS server to ACS View with the same server name.
•An error has occurred. Unable to add ACS Server. IP Address 'XXX' already exists.
Check if you have already added an ACS server with the same IP address.
Q. The error message Configuration Master already exists appears when I add a Configuration Master. Why does this happen?
A. You cannot add an ACS server as the Configuration Master if a Configuration Master already exists. You can have only one ACS server as the Configuration Master.
Q. While adding an ACS server, the Remote Logging server and Log location radio buttons are disabled when I click the Appliance radio button. Why?
A. Remote logging applies only for software versions of ACS, not for the ACS Solution Engine.
Q. Why is syslog data not received even after registering that ACS server with ACS View?
A. You must add the ACS View server in ACS as the syslog server, and set syslog to use port number 514.
Q. When I delete the Configuration Master, are configuration details lost?
A. The older configuration exists; however, no new configuration updates are available.
Q. If I delete a user account in ACS, will the generated reports include data related to that user?
A. ACS configuration reports do not include that user. However, for the changes to take effect, the latest ACS configuration data need to be collected by using the daily synchronization.
Q. If I upload an older package.cab file, are existing or current ACS configuration information lost?
A. Yes, you lose the current ACS configuration information.
Q. Why does the on-demand upload fail in ACS View?
A. Check if you have configured the hostname of the ACS server correctly. Note that the hostname of the ACS server is not case-sensitive.
Q. Why are the configuration details not updated?
A. Check if:
•A Configuration Master exists. If not, add one and perform an on-demand download.
•You have uploaded an older package.cab file.
•The default schedule job is disabled. Refresh and download data on demand.
ACS Server Configuration
Q. When adding a new ACS server in ACS View, should the ACS server be operational?
A. Yes, you must ensure that the ACS server that you are adding in ACS View is up and running. This condition is important; because before adding an ACS server, ACS View validates the ACS server's admin user credentials by connecting to that server.
Q. When adding a ACS server, must the ACS server have a DNS entry?
A. Not necessarily, but the hostname of the ACS server must be identical to the value that you enter for the ACS server name. Any mismatch in the hostname leads to data loss.
Q. What happens if I delete an ACS server that was configured as the Configuration Master?
A. The older configuration exists; however, no new configuration updates are available.
Q. What happens if I delete an ACS server that is configured as the remote logging server?
A. The specific ACS server stops log collection. This function is enabled only in the standalone ACS servers that you configure as the remote logging server.
Q. How do I check the connectivity of an ACS server that I have added to ACS View?
A. Choose System Administration > ACS Servers Configuration > Server List. Click the radio button corresponding to the ACS server, and click Get Status.
Reports
Q. Why does scheduled generation of reports fail?
A. If the scheduled reports are failing, check if the:
•Job manager process is up and running.
•DBServer is up and running.
If these processes are down, bring the processes up by clicking Restart ACS Server in the System Administration > System Administration > Process Status page.
Q. Why does the next instance of the scheduled report job not run?
A. If the next instance of the scheduled report fails, check if you have:
•Disabled the report job on the System Administration > System Reports > Job Browser page. If so, click the radio button corresponding to the job, and click Enable.
•Deleted the user who created the report job.
Q. In some reports, the data that displays on the GUI does not match the corresponding drilldown report. How should I correct this?
A. Log in as an admin user. At the prompt, enter:
Using this command refreshes report data for Yesterday and the Last 7 days.
Note Database updates are expensive as it uses most of the system resources. Do not use this command except to resolve data-mismatch issues.
Q. What permissions does an Operator have to perform report-related tasks?
A. An Operator has permission for all report-related tasks, which include running and scheduling system and custom reports.
Q. What are public and private reports?
A. Public reports appear in the Reports Inbox of all users and is available for their viewing. Private reports, however, appear in the Reports Inbox of only the user who created the report.
Q. When I click Authentication Failure Code in Authentication Detail and Authentication Query reports, the "No Record available" message pops up. Why?
A. Though the Authentication Failure Code in ACS View lists most of the common failure codes, some of the failure codes that you choose might not be available in the AFC page. You can add more failure codes from System Administration > Data Management > Authentication Failure Code.
Q. What happens if I check the Show Recent Trends check box in the Query page for the various summary and details reports?
A. If you check the Show Recent Trends check box, ACS View shows the report chart for the last 30 days, 24 hours and 1 hour, for the specific query, with the main report chart.
Alerts
Q. Can I define a threshold condition on data from the previous week or month?
A. No, you cannot define threshold conditions on past data. ACS View monitors threshold conditions only on real-time data that it receives from ACS servers through syslog messages.
However, you can define threshold conditions for data defined over days on Passed Authentications, Failed Authentications, and Authentication Inactivity.
Q. How do I know the total number of alerts that occurred?
A. You can view the total number of Alerts in your Alert Inbox or by e-mail from the list of Thresholds on the My Workspace > Alerts > Thresholds page.
Q. Why are some Alerts reported only once a day?
A. Some Alerts are reported only once a day because Alerts that are defined over days are monitored only once a day. While evaluating the conditions, triggers do not take the current day into consideration. For example, if you want to raise an Alert on the number of Passed Authentications exceeding 1000 on an ACS server, you receive an Alert (if that condition is met) only the next day.
To monitor the same condition on the current day, you must define the threshold by using the Minutes or Hours options in the drop-down list on the My Workspace > Alerts > Thresholds page.
Q. Under what conditions are Alerts not generated?
A. Alerts are not generated:
•When the Collector process is down for a long time, ACS might drop some of the syslog messages that it receives from ACS servers. Because these messages are not available for processing by threshold conditions, a valid Alert is not generated.
•After every polling cycle, most Alert Types expect new data. Once a data set is processed, it is marked as not-to-be-used-again to prevent generation of duplicate or false Alerts. If you do not provide new data for an extended period with the triggers running, new Alerts are not generated until more incoming data is made available to ACS View. However, after ACS View regains the data flow, the evaluation does not ignore any data sets.
•When the threshold condition is not met. If you define a threshold condition to be too high or too low, the threshold condition is never met and, thus, an alert is not generated.
Q. Why are false alerts generated?
A. False alerts result from syslog messages from ACS servers that are lost. Syslog messages are UDP-based and are, thus, unreliable. As a result, some important messages that generate a valid Alert are lost.
For example, when you do not receive Passed Authentications message for a given length of time, you are considered Inactive. If the time reaches the threshold duration defined in the trigger, an Authentication Inactivity Alert is generated.
Q. Why does the drop-down list for the Alert On field (My Workspace > Alerts > Thresholds) fail to provide any options when I create a threshold?
A. The drop-down list for the Alert On field is empty if:
•The ACS View server database is not populated with the required data.
•The ACS View server receives no incoming syslog messages. In this case, check if you have:
–Configured the ACS View server as the syslog server in ACS.
–Registered the particular ACS server with ACS View.
You may have to manually download configuration data from ACS server as an on-demand Data Collection job, or upload the package.cab downloaded from the ACS server to ACS View.
Q. Why do Alerts not appear in the Alert Inbox for the expected triggers?
A. You are notified of alerts in your Alert Inbox only if your username is configured for notification when defining a threshold condition.
a. From the My Workspace > Alerts > Thresholds page, check the check box corresponding to the trigger, and click Edit.
b. Check if your username is configured in the Notify To field.
Q. When Alerts are generated, I do not receive notification by e-mail. Why?
A. If you do not receive Alerts by e-mail, check if:
•You configured the Mail Server field on the System Administration > Server Management > System Settings page.
•When defining a threshold on the My Workspace > Alerts > Thresholds page, you:
–Checked the E-mail check box in the Notify area.
–Configured your username for notification in the Notify To field.
If you have configured these fields, update the trigger by using Edit.
Q. Why do I not receive System Alerts?
A. Only users with Administrator privileges receive System Alerts.
•To check if you have Admin privileges, choose the System Administration > User Management > Users page.
•If you have privileges but do not receive System Alerts, choose the System Administration > Server Management > System Settings page, and check if your username is configured for notification in the Notify Users field.
Licensing
Q. Does ACS View perform a license check?
A. Yes, ACS View performs a license check when:
•An Evaluation license expires. Subsequently, it disables data collection from registered ACS servers.
•You upgrade to a Purchase license. In this case, if you have a license for only three ACS servers but have already added five ACS servers in Evaluation mode, data collection for two of the ACS servers is disabled.
Q. When purchasing a license, why must I specify the UDI?
A. ACS View supports a node-locked licensing mechanism, which requires that the licensing file contains the UDI that uniquely identifies the server by its hostname. This mechanism ensures that a license issued for a particular server is installed only on the intended server.
Q. How do I obtain the UDI information from the server?
A. Log in as an admin user, and enter this command from the CLI:
Admin Activities
Q. When does a password lockout occur?
A. A password lockout occurs if you set a value for the Number of Invalid Logins field on the System Administration > User Management > Password Policy page. Subsequently, if you try to log in to ACS View by using invalid credentials beyond the specified number of attempts, your password is locked.
Q. When I log in to ACS View, I get an Invalid Login error. Why?
A. An Invalid Login error appears if:
•You entered a password that is:
–Incorrect
–Expired
–Locked out
•Your user account is disabled.
Q. Does the system warn me if my user password is about to expire?
A. Yes, but only if you configure this information. choose System Administration > User Management > Password Policy, and enter a value for the Password Expiry Warning Days field.
Q. Can I delete GUI backup jobs?
A. Yes, choose the System Administration > System Reports > Job Browser page, check the check box corresponding to the backup job, and click Delete.
Q. How do I configure expiry of the password policy and warning days from the CLI?
A. Enter these commands in the configuration mode:
hostname/admin(config)# password-policy
hostname/admin(config-password-policy)# password-expiration-enabled
hostname/admin(config-password-policy)# password-expiration-days X
hostname/admin(config-password-policy)# password-expiration-warning X
–Where X identifies the number of days and warnings.
Q. Why do I need to use a backup staging URL?
A. You can use the backup staging URL to back up large amounts of data. To enable this feature, you must configure the backup staging URL from the command line in NFS mode. In the configuration mode, enter:
backup-staging-url nfs://ip_address:/dir_name
–ip_address—Specifies the IP address of the external NFS server.
–dir_name—Specifies the directory in which you want to save the database.
See Backing up Data Through a Staging URL, page 8-15.
Q. How do I remove the backup staging URL from the CLI?
A. Enter these commands in the configuration mode:
hostname/admin(config)# no backup-staging-url url
where url specifies the URL of the external NFS server.
hostname/admin(config)# do sh run
Q. How do I edit a user from the CLI?
A. Enter this command in the configuration mode:
hostname/admin(config)# username name password plain | hash password role role [email
email_ID]
–name—Specifies the username.
–password—Specifies the user password.
–role—Specifies the user role. The options are admin and operator.
–email_ID—Specifies the e-mail address of the user.
Q. What is the backup status when I do a scheduled backup from the GUI?
A. The Type, Repository Name, and Initiated By are updated with user-configured values. But Start Time, End Time, and Status is similar to the previous backup status. These are updated only when the current backup runs.
Q. How can I view backup history from the CLI?
A. Enter:
hostname/admin# sh backup history
Q. How do I reset the startup configuration as the running configuration?
A. To use the startup configuration as the running configuration, use the write memory command or the copy running-config startup-config command.
Q. Why do I need a repository?
A. You need a repository to store files related to backup and application installation.
Q. What is the command to debug the backup or restore and application commands?
A. Before executing the backup or restore and application commands, run this command:
debug backup-restore backup
backup bkpname repository reps
Q. How do I start or stop processes?
A. You can start or stop all processes or any individual process.
Table 10-4 Process Commands
Command
|
Description
|
process start process_name
|
Starts an individual process.
|
process start all
|
Starts all processes.
|
process stop process_name
|
Stops an individual process.
|
process stop all
|
Stops all processes.
|
process status
|
Gets the status of all processes.
|
The process_name mentioned in this table could be:
•DBServer
•Collector
•AppServer
•Alertmanager
•Jobmanager
|
Q. How do I configure the time zone?
a. Log in to ACS View CLI by using your administrator credentials and enter show timezones, to get a list of time zones.
b. Enter config to choose the configuration mode.
c. Enter:
clock timezone timezone_name
timezone_name—Identifies the name of the time zone.
Q. How do I check the database for corruption?
A. Enter this command:
Q. How do I install a patch?
A. Enter this command
patch install application-patch-name repository-name
•application-patch-name—Identifies the patch file of the application.
•repository-name—Specifies the path to the repository.
Q. What should I do when the backup fails?
A. Check the status of the:
•NFS, FTP, or TFTP server that you are using as the backup repository.
•Database server.
Q. What should I do when the remote backup fail?
A. If remote backup fails, check:
•The status of the Job Manager and Database processes.
•If the file server (FTP, SFTP, TFTP, or NFS) is down.
•If the Remote Repository username and password are wrong.
Q. I forgot my administrator password. How can I reset the my password?
A. Reset the administrator password in ACS View.
To change the administrator password:
a. Power up your appliance.
b. Insert the ACS View Recovery CD to the CD drive.
The appliance displays the Recovery CD message:
Welcome to Cisco Secure ACS View 4.0 Recovery - Cisco ADE 2120
To boot from hard disk press <Enter>
[1] Cisco Secure ACS View 4.0 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS View 4.0 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>.
c. Enter 3 to reset administrator password through an attached keyboard and mouse. If you are using a serial console port, enter 4.
d. Enter the information as described in Table 10-5.
Table 10-5 Administrator Password Reset Parameters
Parameter
|
Description
|
Admin username
|
Enter the number of the administrator whose password that you want to reset.
|
Password
|
Enter the new password for the administrator.
|
Verify password
|
Enter the password again.
|
Save change & Reboot
|
Enter Y to save, otherwise N.
|
Following is the sample output of an operation to reset the administrator password:
Enter number of admin for password recovery:1
Save change&reeboot? [Y/N]:
Q. When does the application software fail?
A. Application software fails because of:
•Corruption
•Hardware components failure
Application software may fail because of corruption or failure of hardware components, either of which can lead to a catastrophic system crash. In this scenario, you must restore the application on the appliance. Based on the nature of the system failure (application software corruption or hardware component failure), you must re-image the appliance to the system-configuration state or the out-of-the-box state.
Q. What do I need to have to re-image the ACS View appliance?
To re-image your ACS View appliance, you need:
•ACS View Restore CD-ROM
•Peripherals: Serial console; or, a keyboard and monitor.
Q. How can I re-image the ACS View appliance?
To re-image your appliance:
1. Power up your appliance.
2. Insert the ACS View Recovery CD in the CD drive.
The appliance displays the Recovery CD message:
Welcome to Cisco Secure ACS View 4.0 Recovery - Cisco ADE 2120
To boot from hard disk press <Enter>
[1] Cisco Secure ACS View 4.0 Installation (Keyboard/Monitor)
[2] Cisco Secure ACS View 4.0 Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>.
3. Enter the bootup option. You use:
•[1] to install the application through keyboard and monitor.
•[2] to install the application through an attached serial console.
•[3] to reset the administrator password through an attached keyboard and mouse.
•[4] to reset the administrator password through an attached serial console.
4. Press Enter.
