000036759 - How to troubleshoot an RSA Identity Router that is in a Distressed state

Document created by RSA Customer Support Employee on Mar 11, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036759
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
IssueWhen an RSA Identity Router (IDR) is distressed, you will see the following in the Cloud Administration Console:
  • The System Status - Identity Routers section of the Dashboard will show the number of Identity Routers that are distressed in red.
  • The Platform > Identity Routers page will show the Identity Router as Distressed.
CauseThe Cloud Administration Console shows an IDR as distressed for one or more of these reasons:

A networking problem

  • The Cloud cannot connect to the Identity Router.
  • The Identity Router cannot connect to the Cloud.

service problem

  • One or more services that should be running on the IDR, are not running.

A hypervisor problem

  • Due to a problem with the IDR's hypervisor or VM, the IDR is is not running, or is not performing as required.

An expected outage

  • A deliberate change has been done which has the known and expected side-effect of the IDR being temporarily in Distressed state.
ResolutionTo determine if the IDR is distressed due to a networking, service or hypervisor problem, or an expected outage, check the following.  Use the links provided to learn more about each item:

If so, this is an expected outage.

  • Is there a response if you Test the IDR?  If not, this is likely a networking or hypervisor problem.

    • Check  your hypervisor server (VMWare or Hyper-V).  Is the hypervisor itself or the IDR's VM, in a stopped or stopping state, or running out of resources (CPU, memory, etc) or in any other undesirable state?  If so, this is a hypervisor problem.  
    • If all looks well on the hypervisor, this is likely a networking problem.
  • Is there a response when you Test the IDR, but not all services are in running state?   All services should be running, except possibly the two below:

If either of the above services are not in running state when they should be, or if any other services are not in running state, there is a services problem.

Now, go to the appropriate section below for suggested troubleshooting tasks, based on your conclusions from the above questions.

Networking Problem

Services Problem

Follow these steps to gather data and pass it to RSA Support:

  1. Set the Identity Router Logging Level to Debug, then wait 5 minutes for internal IDR logging to capture activity.
  2. If you need to resolve the issue as quickly as possible (rather than referring it to RSA Customer Support first), you can try one or more of the following to see if they fix the problem:
    • Restart services on the IDR
    • Reboot the IDR.
    • From the hypervisor, shutdown then restart the IDR's VM (recommended only as a last resort)

Make a note of which of the above were done, the date and time they were done (with timezone) and the outcome (fixed or did not fix the problem).
Note that if you decide to later refer the matter to RSA Support, these actions will make it less likely that RSA will be able to determine root cause of the issue.

  1. Set the Identity Router Logging Level to Standard.

  • If the problem is not fixed, continue with the remaining steps below.

  1. Generate and Download an Identity Router Log Bundle.
  2. Contact RSA Customer Support to log a support case.  Also provide the actions you tried at step 3 above, and the date/time of each (with timezone).
  3. Upload the Identity Router Log Bundle to RSA Customer Support for analysis.

Hypervisor Problem

Expected Outage

NotesIf further assistance is required, contact RSA Customer Support.