Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
15 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter Comparing Device SGT with ACS-Assigned Device SGT For Security Group Access-enabled devices, ACS assigns each network device an SGT value through RADIUS authentication. The Device SGT diagnostic tool connects to the network device whose IP address you provide and does the following: 1.Obtains the network device’s SGT value. 2.Checks the RADIUS authentication records to determine the SGT value that ACS had assigned to it most recently. 3.Displays the Device-SGT pairs in a tabular format and identifies whether the SGT values are the same or different. Use this diagnostic tool to compare the device SGT with ACS-assigned device SGT. To do this: 1.Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. The Expert Troubleshooter page appears. 2.Click Device SGT from the list of troubleshooting tools. The Expert Troubleshooter page is refreshed and lists the fields described in Table 11 on page 15. 3.Click Run. The Progress Details page appears with a summary. 4.Click Show Results Summary to view the results of device SGT comparison. Ta b l e 1 1 D e v i c e S G T Option Description Enter Information Network Device IPs (comma-separated list)Enter the network device IPv4 or IPv6 addresses (for the device whose SGT you want to compare with the SGT of an ACS-assigned device), separated by commas. Common Connection Parameters Use Common Connection ParametersCheck this check box to use the following common connection parameters for comparison: Username—Enter the username of the network device. Password—Enter the password. Protocol—Choose the protocol from the Protocol drop-down list box. Valid options are: —Te l n e t —SSHv2 Telnet is the default option. If you choose SSHv2, you must ensure that SSH connections are enabled on the network device. Port—Enter the port number. The default port number for Telnet is 23 and SSH is 22. Enable Password Enter the enable password if it is different from your login password. Same as login password Check this check box if your enable password is the same as your login password.
16 Troubleshooting ACS with the Monitoring and Report Viewer Working with Expert Troubleshooter The Results Summary page appears with the diagnosis, resolution, and troubleshooting summary. Related Topics Available Diagnostic and Troubleshooting Tools, page 1 Connectivity Tests, page 1 ACS Support Bundle, page 1 Expert Troubleshooter, page 2
1 Cisco Systems, Inc.www.cisco.com Managing System Operations and Configuration in the Monitoring and Report Viewer This chapter describes the tasks that you must perform to configure and administer the Monitoring and Report Viewer. The Monitoring Configuration drawer allows you to: Manage data—The Monitoring and Report Viewer handles large volumes of data from ACS servers. Over a period of time, the performance and efficiency of the Monitoring and Report Viewer depends on how well you manage the data. To do so efficiently, you must back up the data and transfer it to a remote repository on a periodic basis. You can automate this task by scheduling jobs to run periodically. See Configuring Data Purging and Incremental Backup, page 3 for more information on data backup. View log collections—The Monitoring and Report Viewer collects log and configuration data from ACS servers in your deployment, stores the data in the Monitoring and Report Viewer server, and processes it to generate reports and alarms. You can view the details of the logs collected from any of the servers in your deployment. See Viewing Log Collections, page 7 for more information. Recovering Log Messages—The Monitoring and Report Viewer recovers the logging entries that are missed during the log collection. The log messages are missed when the Monitoring and Report Viewer server is down or the connectivity between the Monitoring and Report Viewer and ACS server is broken. When connectivity is regained, the Monitoring and Report Viewer discovers the entries that were missed, and notifies the ACS server. When the ACS server receives this notification, it resends the entries to the Monitoring and Report Viewer. See Recovering Log Messages, page 10 for more information. View scheduled jobs—The Monitoring and Report Viewer allows you to schedule tasks that you must perform periodically. For example, you can schedule an incremental or full backup to be run at regular intervals. You can use the Scheduler to view the details of these tasks. See Viewing Scheduled Jobs, page 11 for more information on the Scheduler. View process status—You can view the status of the various processes that run in the Monitoring and Report Viewer. See Viewing Process Status, page 12 for more information on the various processes that run in the Monitoring and Report Viewer. View data upgrade status—After you upgrade from ACS 5.5 or 5.6 to ACS 5.7 through the CLI, you must ensure that the Monitoring and Report Viewer data upgrade is complete. You can view the Monitoring and Report Viewer data upgrade status through the web interface and switch the Monitoring and Report Viewer database if upgrade is complete. See Viewing Data Upgrade Status, page 13 for more information. Configure and edit failure reasons—The Monitoring and Report Viewer allows you to configure the description of the failure reason code and provide instructions to resolve the problem. See Viewing Failure Reasons, page 13 for more information on how to edit the failure reason description and instructions for resolution. Configure e-mail settings—You can configure the e-mail server and administrator e-mail address. See Specifying E Mail Settings, page 14 for more information.
2 Managing System Operations and Configuration in the Monitoring and Report Viewer Configure collection filters—The Monitoring and Report Viewer provides you the option to filter data that is not used for monitoring or troubleshooting purposes. The data that is filtered is not stored in the database and hence saves much needed disk space. See Understanding Collection Filters, page 17 for more information on how to configure collection filters. Configure system alarms—System alarms notify you of critical conditions encountered during the execution of the ACS Monitoring and Reporting viewer. You can configure if and how you would like to receive notification of system alarms. See Configuring System Alarm Settings, page 19 for more information. Configure Syslog targets—If you have configured the Monitoring and Report Viewer to send system alarm notifications as Syslog messages, then you must configure a Syslog target to receive the notification. See Configuring Alarm Syslog Targets, page 19 for more information. Export Monitoring and Report Viewer data—You can configure a remote database, which could either be an Oracle SID or Microsoft SQL Server to which you can export the Monitoring and Report Viewer data. You can create and run custom reporting applications using the data in your remote database. See Configuring Remote Database Settings, page 19 for more information on how to configure a remote database with the Monitoring and Report Viewer. ACS provides you the option to schedule jobs in the Monitoring and Report Viewer. By scheduling jobs, you can automate the monitoring tasks to be run at specified intervals. You can view the status of the scheduled jobs, control events, and intervene whenever necessary. You can schedule the following jobs: Data Purge Backup Event notification (system and threshold alarms) Export of Monitoring and Report Viewer data to a remote database This chapter contains the following sections: Configuring Data Purging and Incremental Backup, page 3 Restoring Data from a Backup, page 7 Viewing Log Collections, page 7 Recovering Log Messages, page 10 Viewing Scheduled Jobs, page 11 Viewing Process Status, page 12 Viewing Data Upgrade Status, page 13 Viewing Failure Reasons, page 13 Editing Failure Reasons, page 13 Specifying E Mail Settings, page 14 Configuring SNMP Preferences, page 17 Understanding Collection Filters, page 17 Configuring System Alarm Settings, page 19 Configuring Alarm Syslog Targets, page 19 Configuring Remote Database Settings, page 19
3 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup Configuring Data Purging and Incremental Backup The Monitoring and Report Viewer database handles large volumes of data. When the database size becomes too large, it slows down all the processes. You do not need all the data all the time. Therefore, to efficiently manage data and to m a ke g o o d u s e o f t h e d i s k s p a c e , yo u m u s t b a c k u p yo u r d ata regularly and purge unwanted data that uses up necessary disk space. Purging data deletes it from the database. Since the Monitoring and Report Viewer database size is large, the backup process takes a long time to complete. The incremental backup option enables you to take a complete backup of your Monitoring and Report Viewer database once and then to back up data incrementally (that is, only the updates are backed up and stored separately) from the next time onwards. An incremental backup performs a full database backup the first time it is run, and subsequently only backs up the updates that are made to the database. Incremental backups are therefore much faster and make efficient use of disk space. You can also configure the frequency and time of incremental backups. With incremental backups, multiple backup files are stored in the repository. However, when you restore data from an incremental backup, ACS restores data from all the backup files starting from the full backup and continuing until the latest incremental backup. Note: If you disable incremental backup for some reason, ensure that you run a full backup the next time before you can continue with incremental backups again. You can also configure a full database backup and define its frequency and time. ACS also allows you to run an immediate backup of the full Monitoring and Report Viewer database. However, you cannot concurrently run an incremental backup, full backup, and data purge. If any of these jobs are running, you must wait for a period of 90 minutes before you can begin the next job. Note: We recommend that you take a full backup the first time and then incrementally back up your data instead of running full backups every time. Note: It is highly recommended that you schedule a incremental backup daily and a full backup monthly or weekly. Otherwise the database purge process fails to purge data, which in turn leads to disk space issues. The monthly scheduled backups occur on the last day of the month and the weekly scheduled backups occur on the last day of the week. Note: To ensure that your data is backed up before the purge, configure a data repository via the CLI or the ACS web interface (System Administration > Operations > Software Repositories). Refer to the CLI Reference Guide for Cisco Secure Access Control System 5.7 for more information on configuring a repository. If you enable incremental backup, data is purged daily at 4:00 a.m. at the local time zone where the ACS instance that runs the View process is located. In ACS 5.7, the view database is allocated based on the opt partition size. ACS View database is 42 percent of opt partition size. The following database limitations apply for purging: If the database disk usage is greater than 60 percent of the allocated view database size, an alarm is sent to the dashboard. If the database disk usage is greater than 80 percent of the allocated view database size, a backup is run immediately followed by a purge until the database disk usage is below 60 percent of the allocated view database size. If the backup fails, check the database disk usage again. The Monitoring and Report Viewer data is purged from the database. The oldest data is purged first. —If the database disk usage is greater than 60 percent of the allocated view database size, a backup is run immediately followed by a purge until the database disk usage is below 60 percent of the allocated view database size.
4 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup —If the backup fails and the database disk usage is greater than 60 percent of the allocated view database size, the Monitoring and Report Viewer decides to wait. For example: • If you specify that you want to preserve one month of data, and the database size is greater than 100 percent of the allocated view database size within a month, the purge deletes the data on a weekly basis until the database size reaches 80 percent of the allocated view database size. If you specify that you want to preserve more than one month (for example, 5 months of data) but the database size is over 80 percent of the allocated view database size, a purge occurs. If the database size remains over 80 percent of the allocated view database size after the purge, an additional month of data is purged, which results in 4 months of data preserved. Before the purge, the database is backed up. If the database size is over 100 percent of the allocated view database size, a purge occurs regardless of whether or not a database backup has occurred. If the database size remains over 80 percent of the allocated view database size, additional purges occur until the database is 80 percent of the allocated view database size. Note: If the Incremental backup is configured as ON with no repository configured, database backup will fail and Incremental backup mode will be changed to OFF. Note: When incremental backup is disabled, data is purged at the end of every month (Local time). You can use the Data Purging and Incremental Backup page to: Configure purge window size Purge data from the database Assign a data repository backup location to manage backup (of the purge job) Configure incremental and full backup schedules Configure immediate backup. The ACS Database needs to be compressed as a part of maintenance operation. You can run the acsview-db-compress command from acs-config mode to reduce the physical size of the view database when there is a difference between the physical size and actual size of the view database. ACS 5.7 stops only the log collector services during compress operation and will be up and running after the compress operation is completed. You need to enable the log recovery feature to recover the log messages that are received during the database compress operation. In ACS 5.7, database compress operation is automated. You can check the Enable ACS View Database Compress check box to compress the ACS View database automatically every day at 5 A.M. The database compress operation is run everyday automatically at 5 A.M whenever there is a need. Note: You need to enable the log recovery option to recover the log messages that may be received during the database compress operation. If the log recovery feature is not enabled, then ACS sends an alert message to enable the log recovery feature. The following database limitations apply for ACS database compress: An automatic database compress operation is started the forthcoming day at 5 A.M as soon as the database size is greater than 80 percent of allocated view database size. ACS displays an alert message when the difference between the physical and actual size of the view database is greater than 7 percent of the allocated view database size and less than 36 percent of the allocated view database size. Also, an automatic database compress operation is triggered when the size of the database exceeds 80 percent of allocated view database size to avoid disk space issues. ACS displays an alert message when the difference between the physical and actual size of the view database is greater than 36 percent of the allocated view database size.
5 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup —If the log recovery feature is not enabled and the ACS view database compress option is enabled, an automatic database compress operation is triggered only after enabling the log recovery feature when the size of the database exceeds 80 percent of allocated view database size to avoid disk space issues. —If the log recovery feature and the ACS view database compress option are enabled, an automatic database compress operation is started to avoid disk space issues. The log collector services are shut down during this operation and will be up and running after the compress operation is completed. Since you have log recovery feature enabled already, any log messages that are received during the database compress operation are recovered after the log collector services are up and running. —If the log recovery feature and the ACS view database compress options are not enabled, ACS does not trigger any database compress operation. But, if the size of the database exceeds 80 percent of the allocated view database, an automatic database compress operation is triggered only after enabling the log recovery feature to avoid disk space issues. —If the log recovery feature is enabled, and the ACS view database compress option is not enabled, an automatic database compress operation is started when the size of the database exceeds 80 percent of allocated view database size limit to avoid disk space issues. The log collector services are shut down during this operation and will be up and running after the compress operation is completed. Since you have log recovery feature enabled already, any log messages that are received during the database compress operation are recovered after the log collector services are up and running. Note: It is recommended to perform database compress during the maintenance hours. DB compress may take long time depends on the database size. Database compress should be done after the purge operation gets completed. From the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Data Management > Removal and Backup. Table 1 Data Purging and Incremental Backup Page Option Description Data Purging Data Repository Use the drop-down list box to select the data repository backup location to be used during data purging. See the CLI Reference for ACS 5.7 to add a data repository. Maximum Stored Data Period num months.Use the drop-down list box to indicate the number of months, where num is the number of months of data you want to retain in the Monitoring and Report Viewer database. Enable ACS View Database CompressCheck the Enable ACS View Database Compress check box to compress the ACS View database automatically every day at 5 A.M. On-Demand Data Purge Purge Now Click Purge Now to purge the data. This purge overrides the purge limits that are already set. Note: It is recommended that you make a full backup before doing an on-demand purge. View Full Database Backup Now Data Repository Use the drop-down list box to select the data repository backup location to store the full database backup. Backup Now Click Backup Now to start a full Monitoring and Report Viewer database backup. Incremental Backup On Click the On radio button to enable incremental backup. If incremental backup is enabled, the delta is backed up. Off Click the Off radio button to disable incremental backup.
6 Managing System Operations and Configuration in the Monitoring and Report Viewer Configuring Data Purging and Incremental Backup Configuring NFS Staging If the utilization of /opt exceeds 30 percent, then you are required to use NFS staging with a remote repository to take successful view database backups and generate support bundles. NFS staging uses a Network File System (NFS) share as a staging area of additional disk space during a backup or support bundle request, because these operations are disk space intensive. You can enable NFS staging through ACS CLI using the backup-staging-url command. You must provide full permission to NFS directory when you configure the NFS location using the backup-staging-url command in ACS 5.7 to perform a successful On Demand Backup. For more information on the backup-staging-url command, see the CLI Reference Guide for Cisco Secure Access Control System 5.7. Note: This section is not applicable to ACS backup operation, as it does not suffer from the same disk space limitations as the View backup and support bundle generation. Note: You cannot back up any data when the staging server is down. When the staging server is down, you cannot perform backup and restore operations using any of the configured repositories as they use the same staging server to create the backup file. You have to bring the staging server up or delete the backup staging URL so that the repositories work properly. The backup.tar.gpg file is created under /opt during backup operation when the NFS staging URL is not configured. So, before deleting the backup staging URL, you need to make sure that you have enough space in the /opt location. The backup operation will fail if ACS does not have enough space in /opt location. Related Topic Restoring Data from a Backup, page 7 Configure Incremental View Database Backup Data Repository Use the drop-down list box to select a data repository for the backup files. Schedule Use the drop-down list boxes to select the time of the day when you want the incremental backup to run. Frequency Use the drop-down list box to choose the frequency at which you want the incremental backup to run. Valid options are: Daily Weekly—Typically occurs at the end of every week. Monthly—Typically occurs at the end of every month. Configure Full View Database Backup Data Repository Use the drop-down list box to select a data repository to store the backup files. Schedule Use the drop-down list boxes to select the time of the day when you want the full View database backup to run. Frequency Use the drop-down list box to choose the frequency at which you want the full View database backup to run. Valid options are: Daily Weekly—Typically occurs at the end of every week. Monthly—Typically occurs at the end of every month. Table 1 Data Purging and Incremental Backup Page (continued) Option Description
7 Managing System Operations and Configuration in the Monitoring and Report Viewer Restoring Data from a Backup Restoring Data from a Backup Use this page to restore data from the View database that was backed up earlier. You can restore data from an incremental or full backup. If you choose to restore incremental backup data, ACS restores the full View data backup and then the rest of the incremental backups one at a time in the correct sequence. Note: You must restore the incremental and full view backup taken in a repository before taking backup in the next repository. To restore data from a backup: 1.Choose Monitoring Configuration > System Operations > Data Management > Restore. The Incremental Backup Restore page appears, displaying the Available Backups to Restore table. Table 2 on page 7 describes the columns in the table. 2.Choose a backup file that you want to restore. Note: If you choose an incremental backup file to restore, ACS restores all previously associated incremental and full backups. This restore process restores only the Monitoring and Report Viewer data. 3.Click Restore to restore the backup file. Related Topic Configuring Data Purging and Incremental Backup, page 3 Viewing Log Collections Use this page to view the recently collected logs from ACS servers. From the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Log Collection. Note: You can use the refresh symbol to refresh the contents of the page. Table 2 Incremental Backup Restore Page Column Description Skip View Database backup before RestoreCheck this check box to skip the Monitoring and Report Viewer database backup before restoring data from a backup. This option, when checked, hastens the restore process. We recommend that you uncheck this check box because your current data might be lost if a failure occurs during the restore process. Name Name of the backup file. The backup filename includes the time stamp; for example, ACSViewBackup-20090618_003400. For an incremental backup, click the Expand icon to view the associated full and incremental backups. Date Date on which the backup is run. Repository Name of the repository that contains the backup file. Type The type of backup, Incremental or Full.
8 Managing System Operations and Configuration in the Monitoring and Report Viewer Viewing Log Collections Related Topic Log Collection Details Page, page 9 Table 3 Log Collection Page Option Description ACS Server Name of the ACS server. Click to open the Log Collection Details page and view recently collected logs. Last Syslog MessageDisplay only. Indicates the arrival time of the most recent syslog message, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. Mmm = Jan, Feb, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. dd = A two-digit numeric representation of the day of the month, from 01 to 31. hh = A two-digit numeric representation of the hour of the day, from 00 to 23. mm = A two-digit numeric representation of the minute of the hour, from 00 to 59. ss = A two-digit numeric representation of the second of the minute, from 00 to 59. timezone = The time zone. In a distributed environment, the time zone displayed for all secondary servers corresponds to the time zone of the server in which the view is active. If your primary instance has a time zone of PDT and the secondary instance is in UTC, the secondary instance displays the time zone and timestamp of syslog messages with PDT, which corresponds to the time zone of the primary instance. yyyy = A four-digit representation of the year. Last ErrorDisplay only. Indicates the name of the most recent error message. Last Error TimeDisplay only. Indicates the arrival time of the most recent error message, in the format Ddd Mmm dd hh:mm:ss timezone yyyy, where: Ddd = Sun, Mon, Tue, Wed, Thu, Fri, Sat. Mmm = Jan, Feb, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. dd = A two-digit numeric representation of the day of the month, from 01 to 31. hh = A two-digit numeric representation of the hour of the day, from 00 to 23. mm = A two-digit numeric representation of the minute of the hour, from 00 to 59. ss = A two-digit numeric representation of the second of the minute, from 00 to 59. timezone = The time zone. In a distributed environment, the timezone displayed for all secondary servers corresponds to the timezone of the server in which the view is active. If your primary instance has a timezone of PDT and the secondary instance is in UTC, the secondary instance displays the timezone and timestamp of syslog messages with PDT, which corresponds to the timezone of the primary instance. yyyy = A four-digit representation of the year. Get Details Click to view recently collected logs for a selected ACS server.