Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000011986 - silent discard in AM 8.0: Authentication fails with no entry in Authentication Monitor

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000011986
Applies To	RSA Authentication Manager 8.x, AM 8, AM 8.0, AM 8.0.7, AM 8.1, AM 8.1.0, AM 8.x, AM 8.1.1
Issue	With RADIUS authentication requests, the Real Time Authentication Monitor may show no entry for several reasons, so check the RADIUS Client statistics to look for Rejects in AM 7.1, 8.0 and 8.1, or silent discards in AM 6.1 (see KB a53250) Authentication request are silently discarded or dropped, with nothing in the Real Time Authentication Monitor or Authentication Activity Report. TCPDUMP or WireShark or Sniffer network packet capture shows Authentication Requests on UDP port 5500, but no replies coming back out of the AM server. See KB a63468 for instructions on TCPDUMP in AM 8.x, basically sudo su - cd /usr/sbin ./tcpdump -i eth0 -s 1514 -Z root port 5500 Proof of a silent discard will be seen in /opt/rsa/am/server/logs/imsTrace.log If Logging is set to verbose, Source IP address of unknown agent will be listed in error like this: 2014-03-07 09:55:21,121, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (AgentAccessSQL.java:130), trace.com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql, ERROR, PACEC81.credito.bcp.com.pe,,,,Unable to lookup class com.rsa.authmgr.internal.admin.agentmgt.dal.Agentwith ip address: 192.168.1.5 To increase the log Trace level to verbose login to the Security Console ? Setup ? System Settings. Then click Logging. Select Primary and/or replica. Set Trace level to verbose.
Cause	A silent discard is a dropped authentication request with no entry in the Real Time Authentication Monitor or Authentication Activity Report. In AM 8, unknown authentication agents werel be silently discarded. This is still true as of Q1 2014 with AM 8.0.7 and AM 8.1.0, but may change in the future. Silent discard can also occur when the AM 8.x Server does a reverse name lookup nslookup <ip address> of the Agent IP address and a name different from the configured agent name (including no name) is returned from DNS or /etc/hosts - This should be fixed in AM 8.0 P8.
Resolution	If no authentication agent exists - create one. If agent exists but you still get silent discards, verify that: 1. The IP address is correct 2. Agent is not disabled 3. Agent Name is spelled correctly - compare with reverse DNS lookup of IP, if nslookup <IP_address> returns a name different then you have in Authentication Agent, either fix name resolution or change the name in the Security Console 4. You may need to delete and re-create the Authentication Agent If this is a RADIUS client, you may need to regenerate the node secret for the RADIUS Server entry, or the RADIUS Client's associated Agent host. RADIUS silent discards can be seen in RADIUS client statistics.
Legacy Article ID	a64464

Attachments

Outcomes

0 Comments

Recommended Content