ACS 4.1 -> 5.1 migration tool

 A while ago I did a migration of Cisco ACS from v4.x to v5.x. As you probably know there is a migration tool that can be used to migrate some (but not all!) of the configuration-details from 4.x into 5.x. What happened to me was very strange and I would like to share it with you…

What I did, and what is also the recommended way of doing this was to:
1) Make a complete database backup of the existing 4.x-installation.
2) Install a new ACS 4.x for windows, running on a virtual (temporary) Win2003 server.
3) Restore the backup to this temporary migration isntance.
4) Run the script locally on the migration instance.

The script will connect to the old (local) database and the new 5.x-appliance and migrate the configuration database.

However, what happened to me was that when the script started I got this error message:

Fatal Error !! - cannot connect to ACS 4.x DB !!

I struggled with this for a while, trying different credentials and other settings without success. When opening a TAC case I got an instant solution to the problem:

This happens if you RDP or VNC to the migration server without connecting to the console. Since this server was running under Vmware ESX i could do either of:
1) use the console from vmware vsphere client
2) Use the /admin parameter of mstsc when RDP:ing to the migration server.

Who could have guessed? I hope that this blog post will be indexed and found when someone else google this error message, like I tried to do. :-). Also, this is filed as bugId CSCsr62965.

Below is the full content of the Cisco TAC case, for reference.

Problem Details:
From the existing ACS 4.x appliance (10.0.0.16) I have done a complete backup. This
has been restored to a ACS 4.1 (trial) for Windows (10.0.0.19). On this machine I run
the migration script. The goal is to migrate the configuration to the new ACS 5.1
appliance (10.0.0.18).

When running the script it saids ” Fatal Error !! – cannot connect to ACS 4.x DB !!”

This is the content of migration.log after a unsuccessfull migration attempt:

06-28-2010 09:08:21 JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN – Unable to
find required classes (javax.activation.DataHandler and
javax.mail.internet.MimeMultipart). Attachment support is disabled.
06-28-2010 09:08:34 ACS4Connector.checkDBConnectivity(ACS4Connector.java:137)FATAL –
Fatal Error !! – cannot connect to ACS 4.x DB !!
java.sql.SQLException: [Sybase][ODBC Driver][Adaptive Server Anywhere]Database server not
found
at ianywhere.ml.jdbcodbc.IDriver.makeODBCConnection(Native Method)
at ianywhere.ml.jdbcodbc.IDriver.connect(IDriver.java:354)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at com.cisco.nm.acs.mgmt.migration.ACS4Connector.getConnecter(ACS4Connector.java:66)
at
com.cisco.nm.acs.mgmt.migration.ACS4Connector.checkDBConnectivity(ACS4Connector.java:133)
at
com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.runExport(MigrationApplicationCLI.
java:605)
at
com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.main(MigrationApplicationCLI.java:
266)

—————————
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:Documents and SettingsAdministrator>cd migrationmigration

C:migrationmigration>cd bin

C:migrationmigrationbin>
C:migrationmigrationbin>
C:migrationmigrationbin>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.19
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.1

C:migrationmigrationbin>ping 10.0.0.18

Pinging 10.0.0.18 with 32 bytes of data:

Reply from 10.0.0.18: bytes=32 time<1ms TTL=64

Ping statistics for 10.0.0.18:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:migrationmigrationbin>del migration.log

C:migrationmigrationbin>migration.bat
**************************************************
Copyright (c) 2008, 2009 Cisco Systems, Inc.
All rights reserved.
**************************************************

This utility migrates data from ACS 4.x to ACS 5. You can migrate directly from
the following ACS versions:

1. ACS 4.1.1.24
2. ACS 4.1.4
3. ACS 4.2.0.124
4. ACS 4.2.1

The migration utility analyzes the ACS 4.x data, exports the data from ACS 4.x t
hat can be migrated automatically, and imports the data into ACS 5.
You can manually consolidate and resolve data according to the analysis report,
before the import stage, to maximize the amount of data that the utility can mig
rate.
After migration, use the imported data to recreate your policies in ACS 5.
——————————————————————————–
————————————–

Use saved user defaults?[yes]
no
Make sure that the database is running.
Enter ACS 5 IP address or hostname:[10.0.0.18]

Enter ACS 5 Administrator username:[ACSAdmin]

Enter ACS 5 password:[******]

Change user preferences?[no]
yes

User Groups
——————————————————————————–
————————————–
Existing user groups will be migrated to the Identity Group.
Enter the name of new Root:[Migrated_Group]

Network Device Groups
——————————————————————————–
————————————–
Existing network device groups will be migrated to the Network Device Group.
Enter the name of new Root:[Migrated_NDGs]

Consolidation Prefix
——————————————————————————–
————————————–
Identical objects found are consolidated into one.
Enter the prefix to be added to such a consolidated object:[]

Users
——————————————————————————–
————————————–
ACS 5 supports authentication for internal users against the internal database o
nly.
ACS 4.x users that were configured to use an external database for authenticatio
n are migrated with a default authentication password.
Specify the default password.[******]

Disabled Group Users
——————————————————————————–
————————————–
ACS 4.x users and hosts that are associated with disabled group will be migrated
as disabled:[yes]

Configure these users as disabled in ACS 5, or ask for a change of password on f
irst access by the user to ACS 5.
Select the option:
1 – DisableExternalUser
2 – SetPasswordChange
Selected option:[2]

Network Device
——————————————————————————–
————————————–

TACACS+ and RADIUS network devices with same IP will be unified.
Select the name to be used for unified devices.
1 – RADIUSName
2 – TACACSName
3 – CombinedName
Selected option:[3]

DACL name construction
——————————————————————————–
————————————–

Existing downloadable ACL will be migrated.
Select the name to be used for the migrated DACL
1 – DaclName_AclName
2 – AclName
Selected option:[1]

Save user defaults?[yes]

Connecting to ACS5, please wait…

Enter ACS 4.x Server ID:
acs4
Warning: This server id was entered before.

Add server specific migration prefixes?[no]

Show full report also on screen?[yes]

——————————————————————————–
————————————–

Select the ACS 4.x Configuration groups to be migrated:[1]
1 – ALLObjects
2 – AllUsersObjects
3 – AllDevicesObjects
4 – SharedCommandSet
5 – SharedDACLObject
6 – MasterKeys
7 – SharedRACObjectWithVSA
——————————————————————————–
————————————–

——————————————————————————–
————————————–

The following object types will be extracted:
——————————————————————————–
————————————–

User Attributes
User Attribute Values
Network Device Groups
User Groups
Groups Shell Exec
Users Shell Exec
Users
Shared Command Sets
Groups Command Set
Users Command Set
Network Device
Shared Downloadable ACL
EAP FAST – Master Keys
MAB
VSA Vendor
VSA
RAC
——————————————————————————–
————————————–

Choose one of the following:
1 – AnalyzeAndExport
2 – Import
3 – CreateReportFiles
4 – Exit
——————————————————————————–
————————————–

1
Fatal Error !! – cannot connect to ACS 4.x DB !!
——————————————————————————–
————————————–

Choose one of the following:
1 – AnalyzeAndExport
2 – Import
3 – CreateReportFiles
4 – Exit
——————————————————————————–
————————————–

4
Would you like to migrate another ACS4.x server?[no]
no
C:migrationmigrationbin>

—————–

*** Service Request LOG 2010-06-28 08:40:25.0 GMT, FZILIOTT, Action Type: Email In ***

From: fziliott@cisco.com
Subject: SR 614750319 – * C3A – Problem running ACS4 -> ACS5 migration script

See detail note for email textFrom: xxxx@cisco.com
To: xxxx@xx.com
Cc: attach@cisco.com
Subject: SR 123456789 – * C3A – Problem running ACS4 -> ACS5 migration script

Hello Jimmy,

Thank you for contacting the Cisco TAC.
My name is Federico Ziliotto and I am the engineer assisting you for the
Service Request 614750319.

Looking at the notes, the current problem description regards the fact
that the migration utility for ACS 5.1 fails with the following
exception when trying to migrate a database from ACS 4.1:

JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN – Unable to
find required classes (javax.activation.DataHandler and
javax.mail.internet.MimeMultipart). Attachment support is disabled.

ACS4Connector.checkDBConnectivity(ACS4Connector.java:137)FATAL – Fatal
Error !! – cannot connect to ACS 4.x DB !!

If needed, do not hesitate to update or modify my understanding at any time.

As a first action plan, I would like to collect some more details from
the following points:

1. Could you please confirm the full version of ACS for Windows, on
whose server you are running the migration tool?
This should be visible in the ACS web interface, on the home page, right
after logging in: 4.1.x.y

2. I would also like to please verify whether you are accessing the
Windows server via RDP or VNC, for example.
If so, I would suggest to please test running the migration tool while
being physically on the Windows server.
If this is a VMware machine, please use the console.

3. Should the issue still persists after having checked point #3, at the
end of the process, please also select the option “CreateReportFiles”
and then forward me the logs on the Windows server under

…migrationbinmigration.log
and
…migrationconfig

Please also take some time to document the business impact related to
the case, if relevant, so that I can focus on the issue accordingly.

For your convenience I have included my contact details below; feel free
to use them for any further questions.

Please make sure to always keep attach@cisco.com in the CC list so that
the SR is updated automatically, and delete the lines from the previous
emails when replying, in order to keep the case notes clear.

Best regards,

xxxxx


Cisco Systems – EU TAC hotline: +32 2704 5555
Technical Support worldwide Contacts and Home Page:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
http://www.cisco.com/go/tsdelivery
***
For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html
***

*** Service Request LOG 2010-06-28 09:47:19.0 GMT, JILAHBG, Action Type: Email In ***

From: xxxx@xx.com
Subject: RE: SR 614750319 – * C3A – Problem running ACS4 -> ACS5 migration script

See detail note for email textFrom: xxxx@xx.com
To: xxxx@cisco.com
Cc: attach@cisco.com
Subject: RE: SR 123456789 – * C3A – Problem running ACS4 -> ACS5 migration script

Hello

Running rdp to the console (start->Run->mstsc /admin) was successful. I am all done
with my migration now. Thanks a lot! The case can be closed.

Br Jimmy

Tagged with:
Posted in Cisco Security

Signuppp

[mc4wp_form id="2457"]
Website Security Test