000016395 - Using tcpdump to troubleshoot authentication issues with RSA Authentication Manager 8.x

1. Open an SSH session or connect directly to the Authentication Manager primary server.

If SSH is not enabled, log onto the Operations Console and navigate to Administration > Operating System Access, .  Check the option to Enable SSH and click Save.

2. Login as the rsaadmin user with the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

3. Elevate privileges to root, using the same operating system password used in step 2.
4.  Navigate to /usr/bin.
5. Run the following command that will collect all traffic to or from the default SecurID port of 5500 (both UDP and TCP) and send the output to the screen.   Note that the  Z is capitalized:

./tcpdump  -i  eth0  -s  1514  -Z  root  port  5500

Tcpdump is a third-party utility included with the appliance, it is not an RSA tool.  There are various websites that give detailed instructions and information for other options used by the tcpdump utility.  Please refer to them to choose the appropriate options for troubleshooting your particular issue.

A few common examples of tcpdump 

• Show all traffic to or from IP address 172.16.3.4  and send a summary to the screen:

./tcpdump  -i  eth0  -s  1514  -Z  root  host  172.16.3.4

• Write a file in /tmp named  cap1.cap, with details of the capture. This file can then be analyzed in detail using a third-party tool such as Wireshark, or sent to RSA custoomer support for analysis.  

./tcpdump  -i  eth0  -s  1514  -Z  root  -w  /tmp/capture.cap

1. Change permissions on the file using something similar to the command shown here:

chmod 777 capture.cap

2. Use a third-party secure copy program such as  WinSCP or FileZilla to copy it off the appliance.