This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Monitoring Cisco ACS Appliance

We've just put in a couple of ACS Appliances and have managed to get SNMP monitoring working but I can find any settings that will make the ACS to respond pings from Orion. So we get disk stats etc but the appliance is always showing as down?

Anyone done this or could give me some pointers?

Thanks

Jon

IT Infrastructure Manager
Pilgrim Hospital
UK
  • CCO Document ID: 71068

    Background Information
    The Cisco Secure ACS Solution Engine, also known as the Cisco Secure ACS Appliance, is based on Microsoft Windows, and therefore is vulnerable to PMTUD attacks and to attacks based on ICMP "hard" error messages. Such attacks are detailed in the Crafted ICMP Messages Can Cause Denial of Service security advisory.
    Recent versions of the Cisco Secure ACS Solution Engine ship with Cisco Security Agent (CSA), which is configured to block all incoming ICMP messages. Under this situation, the Cisco Secure ACS Solution Engine is not vulnerable to any of the attacks that this document describes.
    Problem
    The Cisco Secure ACS Solution Engine does not respond to pings like a normal, Windows-based Cisco Secure ACS server.
    Solution
    The failure of the Cisco Secure ACS Solution Engine to respond to pings is the result of the rule set applied to the Cisco Security Agent installed on the appliance. The current rule set does not allow the Cisco Secure ACS Solution Engine to respond to ICMP Echos (pings). Since the Cisco Security Agent is unmanaged, its rule set cannot be modified.
    Check TCP Port 2002
    Instead of monitoring the status of the appliance with the use of ICMP, you can verify it is up and reachable when you connect to the appliance on TCP port 2002. Telnet to the appliance on port 2002 and press Enter. You should see the error: HTTP 500 Internal Server Error
    This is an example of this procedure performed at the Windows command line:
    C:\>telnet 172.18.124.101 2002 <enter>
    <enter>
    HTTP/1.0 500 Internal Server Error
    Connection to host lost.
    C:\>
    Additionally, you can download several free TCP ping-type utilities from the Internet that attempt to connect to a host on any TCP port and report back if the host responds.

    Open a case with Cisco and have them walk you through changing CSA to allow ICMP.
  • Thanks Ceclark

    IT Infrastructure Manager
    Pilgrim Hospital
    UK