cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Troubleshooting Information

Error Messages

Editing the errmsg.dat File

No NAS Configurations Found

DNS Server Issues

ERROR Authentication Message When Database Connection is Lost

Obsolete Feature Warning

Error Message Descriptions

Obtaining Service and Support

Troubleshooting Checklist

Concurrent Logins

Console Authorization

Troubleshooting by Manual Startup and Shutdown

Shutting Down and Killing the CiscoSecure ACS

System Logging Functions

Controlling CiscoSecure ACS Logging

NAS AAA Debugging Commands

Troubleshooting "Severe SQL Error" Messages

Accessing Information in the csdblog_date Log Files

Typical Contents of a csdblog_date Log File

A Common DBServer Module Error Message in the csdblog_date Log File

Accessing Information in the dbserver.log


Troubleshooting Information


This chapter provides information to help you identify and resolve potential problems with your CiscoSecure Access Control Server (ACS) and includes the following sections:

Error Messages

Obtaining Service and Support

Troubleshooting Checklist

Concurrent Logins

Console Authorization

Troubleshooting by Manual Startup and Shutdown

System Logging Functions

Troubleshooting "Severe SQL Error" Messages

Error Messages

The following error messages are described in Tables 14-1 to 14-7:

RADIUS AAA Server Error Messages, Table 14-1

RADIUS AAA Server Warning Messages, Table 14-2

TACACS+ Error Messages and Solutions, Table 14-3

TACACS+ Protocol Errors, Table 14-4

Authentication Messages, Table 14-5

Authorization Messages, Table 14-6

Messages that Can Occur During CiscoSecure Startup, Table 14-7

Many messages are dynamic, containing variables that are context sensitive.

Editing the errmsg.dat File

The errmsg.dat file contains the text of most of the error messages for the CiscoSecure ACS displayed in the GUI. It is in the following directory:

$BASEDIR/ns-home/docs/cs

The errmsg.dat file can be edited in any text editor or word processor that supports ASCII. Character sets for languages other than English are supported.

The following guidelines must be observed:

Each line can contain only one error message.

Each error message can contain only one line.

Each line can contain up to 80 characters.

Each line must end with a newline character.

No NAS Configurations Found

CiscoSecure ACS by default includes a nas_config definition in the CSU.cfg file. The nas_config includes the secret, which is used for communication with a TACACS+ NAS, if configured to do so. If you are using RADIUS, then CiscoSecure ACS uses the NAS information configured in the NAS_LIST file. Because the NAS might be using a protocol other than RADIUS or TACACS+, it must have at least the default nas_config. If this default nas_config is not present, then CiscoSecure will display following messages:

CiscoSecure ERROR - no NAS configurations found
CiscoSecure ALERT - Initialization failed, server shutting down

The AAA Server will then shut down.

DNS Server Issues

If the target system has a Domain Name Server (DNS) configured, or if the Solaris operating system has been configured as a DNS server, special care must be taken to insure that DNS performance and operations are fully operational. If the CiscoSecure ACS server target Solaris system has DNS enabled, there might be performance or authentication issues for CiscoSecure ACS. CiscoSecure ACS does not directly call a DNS server; however, the Solaris operating system calls "gethostbyadd_r" and might indirectly call the DNS server if configured to do so. Check the /etc/nsswitch.conf file for such a configuration. If the DNS domain name resolution operation does not work or is slow, this will directly affect CiscoSecure ACS.

ERROR Authentication Message When Database Connection is Lost

Two parameters in the $BASE/CSU/libdb.conf file help you troubleshoot socket or reconnect errors:

MaxSocketError = #

MaxReconnectError = #

These parameters signify the number of socket errors or reconnect errors that CiscoSecure ACS for UNIX will accept and continue to return FAIL when the database cannot be contacted. When the number of socket or reconnect errors exceeds the specified limit, CiscoSecure ACS for UNIX will start to return ERROR (the requested behavior). For example:

MaxSocketError = 4
MaxReconnectError = 4

After four socket errors or four reconnect errors have occurred, CiscoSecure ACS for UNIX will start returning ERROR for all the "user not found" failures. At this point, the database is considered to be down, and failure to retrieve user profiles is because CiscoSecure ACS for UNIX cannot contact the DBServer, not because the user does not exist.

The default values for both parameters is 0, which signifies that this feature will not be used. For example:

MaxSocketError = 5
MaxReconnectError = 0

This means that only socket errors will be tracked; reconnect errors will be ignored.

Socket error happens once per failed authentication if the DBServer cannot be contacted. But in some situations, one error can count toward the profile update channel. So, with MaxSocketError configured to be four, it can take three or four failed authentications for the ACS to assume that the DBServer is down.

Reconnect errors are added as backup mechanism. In cases where connections are dropped without triggering CiscoSecure ACS for UNIX to start returning ERROR, socket error will not be incremented with each failed authentication. In this situation, CiscoSecure ACS for UNIX depends on reconnect errors. Unfortunately, due to the retry mechanism in CiscoSecure ACS for UNIX, there is no way to predict the number of reconnect errors per authentication failure. Setting MaxReconnectError to 10 can still cause CiscoSecure ACS for UNIX to start returning ERROR right away. But this is only a backup situation; normally the MaxSocketError error will suffice.

Obsolete Feature Warning

The config_local_timezone and config_use_host_timezone variables were removed from the CSU.cfg file to effect the automatic adjustment of time stamps for daylight saving time in accounting records. Removing the variables was also necessary to ensure Year 2000 Compliance. If your CSU.cfg file contains these variables, you can ignore the following message that will appear on startup:

CiscoSecure WARNING - Obsolete feature config_local_timezone, using local time

These variables will be ignored by CiscoSecure ACS for UNIX. By default, CiscoSecure ACS for UNIX uses the local system time.

Error Message Descriptions

The following tables list descriptions of error messages:

Table 14-1 RADIUS AAA Server Error Messages 

Error Message
Meaning

Unable to create accounting directory dictionary_name

Where directory_name = accounting directory from the server's profile. RADIUS1 server is unable to create the directory for the accounting records. Because the server executes as root, this problem is normally caused by a non-existent parent directory. Until this problem is corrected, all accounting records received by the RADIUS server are rejected.

Couldn't start accounting file (accounting_file)

Where accounting_file = accounting file from the server's profile. The RADIUS server is unable to access the previously opened accounting file. Until this problem is corrected, all accounting records received by the RADIUS server are rejected.

Couldn't open accounting file accounting_directory / nas_name / detail

Where directory_name = accounting directory from the server's profile, and nas_name = the NAS2 sending the accounting packet. RADIUS server is unable to open the accounting file. Until this problem is corrected, all accounting records received by the RADIUS server are rejected.

Couldn't update accounting file accounting_directory / nas_name / detail

Where directory_name = accounting directory from the server's profile, and nas_name = the NAS sending the accounting packet. The write to the previously opened accounting file failed. Until this problem is corrected, all accounting records received by the RADIUS server are rejected.

Send Account Rsp from nas_name - Security

Where nas_name = NAS sending the accounting packet. The accounting packet from the NAS failed to pass the security check and will be rejected.

Can't resolve server hostname (host_name), using default server setting

Where host_name = name of the host where the RADIUS AAA3 server is running. The RADIUS AAA server is unable to resolve its hostname, which is needed to retrieve the RADIUS server's profile from the database. The RADIUS AAA server uses internal default values for the server profile attributes.

Can't locate server profile (server_profile), using defaults

Where server_profile = name of the server's profile in the database. The RADIUS AAA server is unable to retrieve the RADIUS server's profile from the database. The RADIUS AAA server uses internal default values for the server profile attributes.

1 RADIUS = Remote Authentication Dial-In User Service.

2 NAS = network access server.

3 AAA = authentication, authorization, accounting.


Table 14-2 RADIUS AAA Server Warning Messages 

Error Message
Meaning

Unknown Acct-Status value (accounting_status_value)

Where accounting_status_value = decimal value of the invalid attribute. An accounting packet contained an accounting status attribute with an invalid value.

Invalid Accounting Packet from (nas_name) "+ variable message"

Where nas_name = the name of the NAS sending the accounting packet, and variable_message = valid accounting packet must contain a valid session ID, accounting status, and NAS id attribute. A list of missing attributes are added to the warning message. The accounting packet is rejected by the RADIUS server.

NAS (nas_name) input packet contains attr_name (Unknown Type attr_type)

Where nas_name = name of the NAS sending the packet, attr_name = name of the attribute in question, and attr_type = decimal value of the attribute. The unknown attribute is discarded, but the RADIUS server attempts to process the packet. A common cause of the error is an incorrect dictionary for the NAS sending the packet.

Passchange: from (nas_name): Password Changing NOT Allowed

Where nas_name = name of the NAS sending the packet. The RADIUS server is configured to deny change password requests, and a change password request was received. The request is rejected.

Authenticate: nas (nas_name) user (user_name) invalid NAS, NAS port, or Caller id

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. The user's profile contained limiting origin information the request did not fulfill. The request is rejected.

Passchange: from (nas_name) - Missing Password: user_name

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. A change password request failed to provide a new and old password. The request is rejected.

Passchange: from (nas_name) - Missing Local Password: user_name

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. The user profile referenced in the change password request does not contain a password attribute or has a null password value. The request is rejected.

Passchange: from (nas_name): system password change not allowed: user_name

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. The user profile password type does not support password changes. The request is rejected.

Passchange: from (nas_name) - Bad Pwd for user_name

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS.The password provided in the change password request is incorrect. The request is rejected.

Authenticate: from (nas_name) - No User Name

Where nas_name = name of the NAS sending the packet. The authentication request from the NAS does not contain a username attribute. The request is rejected.

Authenticate: from (nas_name) - user_name failed

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. A valid user profile wasn't found in the database for the authentication request. The request is rejected.

Unknown accounting mode (accounting_mode)

Where accounting_mode = decimal value of the accounting mode in the RADIUS server profile. The accounting mode contained in the RADIUS AAA server profile is unknown to the RADIUS server. All accounting requests are rejected.

Unknown attribute type attribute_type

Where attribute_type = decimal value of attribute type. The reply attributes contain a type unknown to the RADIUS server. The attribute is ignored.

Dictionary dictionary_name contains unsupported vendor attributes

Where dictionary_name = dictionary profile name in database. The Ascend RADIUS handler found vendor-specific dictionary attributes in the dictionary attached to the NAS. The dictionary is ignored, and all requests from the NAS in question are rejected.

dictionary (dictionary_name) Invalid attribute value (attribute_value)

Where dictionary_name = dictionary profile name in database, and attribute_value = the value of the attribute in question. A dictionary A/V pair contains a value less than 0 or greater than 255. The dictionary is ignored, and all requests that require the dictionary are rejected.

dictionary (dictionary_name) attribute (attribute_name) invalid length

Where dictionary_name = dictionary profile name in database, and attribute_name = the attribute. The dictionary contains an attribute name that exceeds the maximum allowed attribute name length. The dictionary is ignored, and all requests that require the dictionary are rejected.

Malformed enum in dictionary dictionary_name

Where dictionary_name = dictionary profile name in database. The dictionary is formatted incorrectly. The dictionary is ignored and all requests that require the dictionary are rejected.

Dictionary (dictionary_name) unknown attribute type attribute_type

Where dictionary_name = dictionary profile name in database, and attribute_type = the decimal value of the attribute type. The dictionary contains an attribute that has an unsupported type. The attribute is marked as invalid.

Dictionary dictionary_name not found in database

Where dictionary_name = dictionary profile name in database. The dictionary profile wasn't found in the database. Requests that require the dictionary are rejected.

CHAP Token - Bad Pwd Size(pwd_size): user user_name, NAS nas_name

Where pwd_size = decimal size of the CHAP1 token, nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. The CHAP token in the request exceeds the maximum CHAP token length. The request is rejected.

CHAP Token Attempt: user user_name, NAS (nas_name)

Where user_name = user profile requested by the NAS and nas_name = name of the NAS sending the packet. A NAS attempted to use CHAP token password expiration without token caching enabled. The request is rejected.

authChapPwd: update failed

Update of the idle value of a cached token password failed.

authChapPwd: insert failed

Insertion of a token in the password cache failed.

CHAP Unix Attempt: user user_name, NAS (nas_name)

Where user_name = user profile requested by the NAS and nas_name = name of the NAS sending the packet. A CHAP password was provided by the NAS, but the user profile requires a UNIX system password. The request is rejected.

authPapPwd: from (nas_name), user user_name: pwd too long (pwd_length)

Where user_name = user profile requested by the NAS, nas_name = name of the NAS sending the packet, and pwd_length = password length. The password provided by the NAS exceeds the maximum PAP2 password length. The length is set to the maximum PAP password length.

Unknown password type (password_type) found in profile

Where password_type = decimal value of the password type. An unsupported password type was encountered in a user profile. The password is ignored.

T+ DES password length exceeds RADIUS string length

TACACS+ DES3 password length exceeds the length supported by the RADIUS server. The password is ignored.

T+ password length exceeds RADIUS string length

TACACS+ password exceeds the maximum length of a RADIUS string attribute. The password is ignored.

Unknown results challenge_results from token card challenge

Token card challenge returned a value unknown to the RADIUS server. The challenge request fails.

unexpected PW_SKIP status from token card api

Token card library returned a "PW_SKIP" status. The token card operation fails.

unexpected token_card_status status from token card api

Where token_card_status = decimal value of the status returned from the token card library. The token card library returned an unsupported status value. The token card operation fails.

Tokencard Authenticate (nas_name), user user_name: Invalid State

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. The NAS provided a state value unknown by the RADIUS server. The token card operation fails.

Tokencard Authenticate from (nas_name), user user_name: Invalid Request

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. A pending token card request for the token card operation could not be located in the request queue. The token card operation fails.

Tokencard Authenticate from (nas_name), user user_name: Invalid State

Where nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. The state of the pending request does not match the state required by the token card request. The token card request fails.

Unable to locate library for token card library_name

Where library_name = token card shared library name. The token card shared library needed to complete the token card request could not be loaded. The token card request fails.

Zero length username not permitted

Incoming NAS request contains a zero length username. The request fails.

Non-numeric value in numeric only field

User profile contains a non-numeric value in a numeric field. The request fails.

Attribute (attribute_name) length (attribute_length) exceeds RADIUS length (RADIUS_length)

Where attribute_name = name of attribute, attribute_length = decimal length of attribute, and RADIUS_length = decimal maximum RADIUS attribute length. A user profile contains an attribute that exceeds the maximum length supported by the RADIUS server. The request fails.

setpwfile failed for `file_name'

Where file_name = file name of the UNIX password file. Function setpwfile() failed to set up the password file. The request fails.

Can't locate NAS profile (nas_name)

Where nas_name = name of the NAS sending the packet. The RADIUS server failed to retrieve the NAS profile from the database. The request fails.

Invalid type for state attribute (state_type)

Where state_type = decimal value of the state attribute. A state attribute was received from the NAS with an unknown type. The attribute is ignored.

1 CHAP = Challenge Handshake Authentication Protocol.

2 PAP = Password Authentication Protocol.

3 DES = Data Encryption Service.



Note The RADIUS server shares code with the TACACS+ server, and errors from the shared code can cause failures (and error messages) while serving RADIUS protocol requests. The main sections of shared code are the database library, profile parser, and token card libraries.


Table 14-3 TACACS+ Error Messages and Solutions 

Error Message
Meaning
Solution

Maximum number of users exceeded

Maximum users allowed as specified by the license key exceeded.

If the number of users allowed is less than what the administrator expects, check CSU.cfg; to ensure that the license key entered correctly. Also check the cs_startup.log and syslog (/var/log/csuslog). These log files will contain information about the license key (expiration date and so on). Possibly get a new license key.

Protocol - mismatched encryption

Protocol - mismatched encryption keys

Secret shared between the NAS and the ACS does not match.

Find the secret for the NAS in CSU.cfg, and the secret in the NAS configuration. These secrets must match exactly. If the NAS is not listed in CSU.cfg, use the secret for the default NAS. If a default NAS is not specified, an entry with a matching secret must be added to CSU.cfg.

Authentication - Bad method for user

User is not configured for the type of NAS. For example, if the NAS is a Cisco RADIUS NAS, but the user is configured for TACACS+ only.

Check the user profile. Make sure it is configured for the type of NAS.

Authentication - Insufficient privilege

User privilege is too low.

If the user's request is being denied erroneously due to insufficient privilege, check the user's profile, and increase privilege if necessary.

Authentication - No token passcode received

User configured for token card, but no token password is received.

User did not enter a token password. Enter a token passcode during the login process.

Authentication - Account disabled

User's account is disabled due to too many failed logins.

The account can be reenabled by setting profile_status to enabled.

Authentication - Maximum sessions exceeded

User, group, or VPDN exceeds the allowed maximum number of sessions.

If the user, group, or VPDN is entitled to more sessions, change the user's, group's, or VPDN's profile to allow more sessions.

Authorization - No service specified

Authorization - No protocol specified

Authorization - No command specified

Authorization - Failed mandatory argument

Authorization - Bad argument

Authorization - Failed command line

Authorization - Failed command

Authorization - Failed time qualification

Requested service or command is denied.

Either the service, protocol, or command is entirely or partially missing or incorrect, or it is denied by the deny/permit statements in the profile. Check the profile and make sure the deny/permit statements are correct.


Table 14-4 TACACS+ Protocol Errors 

Error Message
Meaning

Protocol - Username too long

Protocol - Token passcode too long

Protocol - NAS name too long

Protocol - NAS port name too long

Protocol - NAS address too long

Length of fields exceeded the maximum allowed.

Protocol - Invalid privilege field

Protocol - Session id in use

Protocol - No session found

Protocol - Incorrect type

Protocol - Incorrect session

Protocol - Incorrect sequence

Protocol - Incorrect version

Protocol - Bad type

Bad data in the packet header.

Protocol - Garbled message

Invalid License Key

Protocol - Read timeout

Protocol - Connection closed

Network connection errors.


Table 14-5 Authentication Messages 

Error Message
Meaning

Authentication - User not found

User not found in the database.

Authentication - Bad type

Bad authentication type (login, sendpass, and so on).

Authentication - No username specified

No username found in the database.

Authentication - Unexpected data
Authentication - Unexpected reserved data

Bad data in the authentication packet.

Authentication - Incorrect password

Password incorrect.

Authentication - Aborted sequence

Authentication sequence aborted by the NAS.

Authentication - File handling error

Authentication encountered a file handling problem with the NAS.

Authentication - Unknown password type

Bad password type.

Authentication - User not in file

User not found in the database.

Authentication - Error in external function

An error occurred outside the AAA server.

Authentication - Bad service

Invalid service encountered in the PPP1 , shell, or other component.

Authentication - Bad action

The server performed an invalid function.

Authentication - Bad password

Garbled password.

Authentication - SENDPASS successful
Authentication - SENDPASS failed
Authentication - LOGIN successful
Authentication - ENABLE successful
Authentication - CHPASS successful
Authentication - SENDAUTH successful
Authentication - SENDAUTH failed

Various types of authentication success/failure messages.

Authentication - Too many tries

User exceeded the allowable number of attempts to enter the correct password.

Authentication - Can't change password
Authentication - Change password failed

An attempt to change a password failed.

1 PPP = Point-to-Point Protocol.


Table 14-6 Authorization Messages

Message
Meaning

Authorization - Unknown user

User not found.

Authorization - Unauthorized NAS or port

The NAS or port specified in the database does not exist. Specify a valid one.

Authorization - Request authorized

Authorization successful.


Table 14-7 Messages that Can Occur During CiscoSecure Startup

Message
Meaning

seminit failed (libsec code -8187)

This is actually a Netscape FastTrack Server message.

It is usually caused by incompatible permissions set for the system's /tmp directory.

Make sure that the user, group, and other categories all have read, write, and execute permission (r-w-x) to the /tmp directory of the system on which the Netscape FastTrack Server is installed.


Obtaining Service and Support

For information about obtaining technical assistance with your CiscoSecure ACS, see the section "Service and Support" in the publication Cisco Information Packet that shipped with your product.

Troubleshooting Checklist

If you are having problems with your CiscoSecure ACS system, check these items first:

Make sure you are using the correct Cisco IOS release for your version of CiscoSecure ACS and the protocol you are using.

Make sure you are using a web browser that is supported for your version of CiscoSecure ACS. See the release notes or the readme.txt file for a list of supported web browsers.

Make sure attribute values assigned to user profiles do not conflict with those assigned to their group profile.

If you are using the RADIUS protocol, any changes to the dictionary for one profile will affect all groups and users who are assigned that dictionary. To see if your dictionary has been changed, compare the dictionary attributes you see listed on the Administrator program line-by-line with those listed in "RADIUS Attribute-Value Pairs and Dictionary Management." If they differ, your dictionary has been changed. You can also use this technique to find out which dictionary has been assigned to a profile.

Confirm that CiscoSecure ACS installed without generating any errors.

Use a text editor, such as vi, to view the $BASEDIR/logfiles/cs_install.log.

Note any errors and correct them where possible.

Confirm that CiscoSecure ACS starts successfully.

Use a text editor such as vi, to examine the $BASEDIR/logfiles/cs_startup.log.

Note any errors and correct them where possible.

Concurrent Logins

Most sites need to detect when a user account has been compromised or is being shared with other people.

The CiscoSecure ACS 2.3 for UNIX with the Distributed Sessions Manager (DSM) feature installed and enabled detects when a single user account is being used from multiple locations.

CiscoSecure ACS for UNIX without the DSM feature installed and enabled does not internally detect this mis-use. Without DSM, the CiscoSecure system administrator must detect this mis-use by collecting the accounting logs from all the CiscoSecure ACSes on a network and reporting those accounting records that indicate concurrent use of the network.

In all cases, accounting must also be enabled on all NASes so that accounting records are generated. For an Internet service provider, this can result in revenue loss for the period between checks of the accounting logs.

Console Authorization

Authorization checks on a router console are not always performed. See the release notes or test your Cisco IOS release to determine if this is a problem in your environment.

Troubleshooting by Manual Startup and Shutdown

Most of the time, you will use automatic startup and shutdown operations while using CiscoSecure ACS for UNIX. But for some diagnostic purposes, you might want to kill or shut down the CiscoSecure ACS and restart it manually.

Shutting Down and Killing the CiscoSecure ACS

When the CiscoSecure ACS software is running, you can control its operation and shutdown by using a specific UNIX signal sent with the UNIX kill command; or you can stop security functions by issuing the shutdown command. Both are described as follows:

SIGINT—Stops the CiscoSecure ACS, closing all open connections. To stop the server in this manner, enter the following command:

# kill -INT 'cat /etc/CiscoSecure.pid'

Note In this command line, the process ID of the CiscoSecure ACS software is taken from the file /etc/CiscoSecure.pid, which is created when the CiscoSecure ACS starts.


Shutdown—Completely shuts down security functions on the ACS:

# /etc/rc0.d/K80CiscoSecure

Restarting the CiscoSecure ACS with Logging Options

After killing or shutting down CiscoSecure ACS, you can restart it with specific flags to invoke different options that help isolate potential problems. The flags are associated with logging options specified in the CSU.cfg file.

To use these options, move to the $BASEDIR/CSU directory and enter the following UNIX command line:

./CiscoSecure [-v] [-c] [-d] [-p] [-x] -f $BASEDIR/config/CSU.cfg

where:

Table 14-8 Logging Options

-v

Displays the CiscoSecure ACS software version information.

-c

Instructs the CiscoSecure ACS to display its logging output on stderr. Normally, all output is logged using the syslog facility.

-p

Causes the CiscoSecure ACS to read and verify that the control file and referenced user database files are correct.

-x

CiscoSecure ACS will not divorce itself from the controlling terminal and will stay in the foreground.

-f CSU.cfg

Identifies the control file.



Note Flags in brackets are optional.


System Logging Functions

The CiscoSecure ACS software makes use of the system logging (syslog) facilities. You can use syslog to determine which information is immediately displayed on the console or retained for later use.

The information recorded in the syslog file (usually /var/log/csuslog) contains RADIUS accounting information. At present this information is verbose. This is done on purpose, as CiscoSecure ACS user requirements vary widely. Some users want very detailed information, while others may require very minimal information. Since it is possible to filter out unnecessary information, CiscoSecure adds all the information it has about the accounting records to the log. This allows you to customize the log to suit your individual requirements.

Events that can be logged by the CiscoSecure ACS include the following:

Server start, restart, stop, and crash events

Fatal internal errors

Serious internal errors resulting in limitation of server operation

TCP/IP connection resets

Unexpected accounting transactions (indicating probable error recovery)

Failed authentication and authorization requests

Successful enable requests

Packet-level information

Controlling CiscoSecure ACS Logging

Logging is controlled through the logging options that you can enable or disable on the AAA General page of the CiscoSecure ACS administrative web site. (See "Managing General Settings on the ACS" in the CiscoSecure ACS 2.3 for UNIX User Guide chapter "ACS and NAS Management.")


Note To activate logging options for RADIUS, first go to the Servers tab in the Java-based CiscoSecure Administrator advanced configuration program and enable the Debugging option. Then select logging options on the AAA General page described in this section.


The logging options on the AAA General page are listed as follows:


Note After you finish enabling or disabling logging options, click Re-initialize at the top of the page to make the changes take effect.


LOG_DEBUG—Log debug information

LOG_INFO—Log informational messages

LOG_NOTICE—Log notices

LOG_WARNING—Log warnings

LOG_ERROR—Log error messages

LOG_ALERT—Log alerts

LOG_RADIUS_DEBUG—Log RADIUS-related debug messages

AUTHEN_OK—Log normal authentication information

AUTHEN_FAIL—Log failed authentication information

AUTHEN_ERROR—Log authentication error information

AUTHEN_OUTPUT—Log information sent to the NAS client

AUTHOR_OK—Log normal authorization information

AUTHOR_FAIL_CMD—Log authorization commands failed for bad command lines

AUTHOR_FAIL_ARG—Log authorization commands failed for bad arguments

AUTHOR_FAIL_OTHER—Log authorization commands failed for other reasons

AUTHOR_ERROR—Log authorization errors

AUTHOR_OUTPUT—Log the attributes returned to the NAS on completion of an authorization request

ACCOUNT_OK—Log normal accounting information

ACCOUNT_FAIL—Log failed accounting operations

ACCOUNT_ERROR—Log errors in accounting operations

ERRNO_INFO—Log low-level errors protocol and operating errors from which CiscoSecure usually recovers

SERVICE_INFO—Log major protocol operations

PROTOCOL_ERROR—Log TACACS+ protocol errors

PACKET_INFO—Log TACACS+ protocol packets

Configuring the Syslog Logging Facility Level

CSU.cfg contains a parameter NUMBER config_system_logging_level = 0x80.

The default 0x80 corresponds to local0.debug in /etc/syslog.conf. To use the other facility levels, use one of the following values:

local0.debug --> 0x80

local1.debug --> 0x88

local2.debug --> 0x90

local3.debug --> 0x98

local4.debug --> 0xa0

local5.debug --> 0xa8

local6.debug --> 0xb0

local7.debug --> 0xb8


Note In /etc/syslog.conf, the logging facility level must be separated from the log filename with a tab, rather than a space; for example, local0.debug<TAB>/var/log/csuslog.


After you change /etc/syslog.conf, you must restart the syslog daemon syslogd. Enter:

kill -HUP <process ID of syslogd>

UNIX Syslog Configuration

To help ensure proper database operation, verify that the UNIX system is properly configured for recording the CiscoSecure ACS logging information. This information is typically logged in a file. Significant events are logged to the system console.

The default syslog facility is LOG_LOCAL0. (See your UNIX system documentation for more information about syslog.) You can change this by changing the value of the CiscoSecure ACS software control file variable, config_system_logging_level.

To maintain a centralized database of messages, modify the configuration of syslog. This assures that the program logs all CiscoSecure ACS messages. To do this:

1. Use the UNIX touch command to create the following file: /var/log/csuslog.

After this is done, syslog can store messages there.

2. To cause all informational messages to be sent to the named file, add the following line to /etc/syslog.conf:

local0.debug     /var/log/csuslog

Note Spaces cannot be used between `local0.debug' and `/var/log/csuslog'. Use the Tab key to create spaces.


3. To cause syslog to reread its configuration file, enter the following command:

# kill -HUP `cat /etc/syslog.pid`

4. To shut down all security and database functions of CiscoSecure ACS, use the K80CiscoSecure command:

# /etc/rc0.d/K80CiscoSecure

5. To start all the CiscoSecure ACS security and database functions, use the S80CiscoSecure command:

# /etc/rc2.d/S80CiscoSecure

NAS AAA Debugging Commands

You can use the following commands to help you troubleshoot your Cisco Systems NAS:

debug aaa authorization

debug aaa authentication

debug aaa accounting

debug tacacs

debug radius

show tacacs

See the documentation for your Cisco Systems NAS if you want more information on using these commands.

Troubleshooting "Severe SQL Error" Messages

Occasionally messages indicating "Severe SQL Error" might appear in the CiscoSecure ACS 2.3 Administrator web pages. The accompanying online help can direct you to view the DBServer log files. Two types of DBServer log files are located in the $BASEDIR/logfiles directory:

The daily csdblog_date log file

where date is the date the log file is created. For example, csdblog_98-MAR-28.

The dbserver.log file

Accessing Information in the csdblog_date Log Files

The csdblog_date log files, located in the $BASEDIR/logfiles directory, log error and warning messages from both the DBServer module and from the RDBMS (Oracle, Sybase, or SQLAnywhere) where you are storing your group and user profiles. A new csdblog_date log file is created in approximately 24 hour intervals from the time the DBServer was last restarted.

Typical Contents of a csdblog_date Log File

Sample output is as follows for csdblog_98-Mar-5 (note that the first two lines are always present even if nothing else is; the other lines are the result of errors):

/*** Cisco Secure database server error log ***/
SEVERITY LEVELS ranges from 1 to 10 where 1=MINOR, 10=CATASTROPHIC
----------------------------------------------------------------------------
Thu Mar 05 09:33:07 PST 1998 Severity Level: 8 Error#0
Msg:DBInterface.execSqlUpdate:[insert into cs_user_profile ( user_na
me, profile_id, profile_ts, cycle_number ) values ( ?, 100000001, ?, 1 )
]{ SQLState: }, { Message: ORA-23326: object group MASTER-
MASTER is quiesced}, { Vendor Code: 23326}

Thu Mar 05 09:33:07 PST 1998 Severity Level: 8 Error#0
Msg:DBInterface.execSqlsInTran:{ SQLState: }, { Message: ORA-23326:
object group MASTER-MASTER is quiesced}, { Vendor Code: 23326}
Thu Mar 05 09:33:08 PST 1998 Severity Level: 8 Error#0
Msg:DatabaseWorker error: ORA-23326: object group MASTER-MASTER is q
uiesced

A Common DBServer Module Error Message in the csdblog_date Log File

An example of a common DBServer-generated message that might appear in a csdblog_date log file, is:

Wed Mar 04 12:51:49 PST 1998 Severity Level: 8 Error#0
Msg:DatabaseMgr:getAvailDBconn(): "Out of database resources error: The number of available connections to the Database has currently been reached. Please retry later"

If the preceding message appears frequently in the csdblog_date log file, increase the number of connections to the RDBMS or reduce the MaxConnection parameter in the $BASEDIR/CSU/libdb.conf file.

Changing the csdblog_date File Logging Level

The DBServer module or RDBMS error messages that can be logged in a csdblog_date log file are ranked in order of severity from 1 to 10 (where: 1 = minor, 5 = moderate, 8 = severe, and 10 = catastrophic).

The default logging level is 8, which means that DBServer or RDBMS error messages with a severity of 8 or higher are logged in this file.

To change the level of logging for the purposes of troubleshooting or testing, edit the MinLogLevel = parameter in the $BASEDIR/config/CSConfig.ini file. For example, the following setting:

MinLogLevel = 5

enables logging in the csdblog_date log file of moderate-or-higher severity messages. Lowering the logging level increases the amount of messages written to your daily csdblog_date log files.

Accessing Information in the dbserver.log

Major DBServer module events, such as startup or shutdown, are recorded in the dbserver.log file, located in the $BASEDIR/logfiles directory. DBServer events too sudden and catastrophic to be logged in the csdblog_date log file might be recorded in the dbserver.log file.


hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:19:04 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.