000016395 - Using tcpdump to troubleshoot authentication issues with RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Aug 2, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000016395
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThis article reviews how to run tcpump for troubleshooting authentication issues for Authentication Manager 8.x.
ResolutionAuthentication Manager includes the tcpdump utility in /usr/sbin.  You must be logged in as root to run the commands.
  1. Open an SSH session or connect directly to the Authentication Manager primary server.

If SSH is not enabled, log onto the Operations Console and navigate to Administration > Operating System Access, .  Check the option to Enable SSH and click Save.

  1. Login as the rsaadmin user with the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Elevate privileges to root, using the same operating system password used in step 2.
  2.  Navigate to /usr/bin.
  3. Run the following command that will collect all traffic to or from the default SecurID port of 5500 (both UDP and TCP) and send the output to the screen.   Note that the  Z is capitalized:

./tcpdump  -i  eth0  -s  1514  -Z  root  port  5500


Tcpdump is a third-party utility included with the appliance, it is not an RSA tool.  There are various websites that give detailed instructions and information for other options used by the tcpdump utility.  Please refer to them to choose the appropriate options for troubleshooting your particular issue.

A few common examples of tcpdump 

  • Show all traffic to or from IP address  and send a summary to the screen:

./tcpdump  -i  eth0  -s  1514  -Z  root  host

  • Write a file in /tmp named  cap1.cap, with details of the capture. This file can then be analyzed in detail using a third-party tool such as Wireshark, or sent to RSA custoomer support for analysis.  

./tcpdump  -i  eth0  -s  1514  -Z  root  -w  /tmp/capture.cap

Note that to copy the capture from the server, you will need to:

  1. Change permissions on the file using something similar to the command shown here:

chmod 777 capture.cap

  1. Use a third-party secure copy program such as  WinSCP or FileZilla to copy it off the appliance.
Legacy Article IDa63468