000011986 - silent discard in AM 8.0: Authentication fails with no entry in Authentication Monitor

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011986
Applies ToRSA Authentication Manager 8.x, AM 8, AM 8.0, AM 8.0.7, AM 8.1, AM 8.1.0, AM 8.x, AM 8.1.1
IssueWith RADIUS authentication requests, the Real Time Authentication Monitor may show no entry for several reasons, so check the RADIUS Client statistics to look for Rejects in AM 7.1, 8.0 and 8.1, or silent discards in AM 6.1 (see KB a53250)
Authentication request are silently discarded or dropped, with nothing in the Real Time Authentication Monitor or Authentication Activity Report.

TCPDUMP or WireShark or Sniffer network packet capture shows Authentication Requests on UDP port 5500, but no replies coming back out of the AM server. 

See KB a63468 for instructions on TCPDUMP in AM 8.x, basically sudo su -
cd /usr/sbin
./tcpdump -i eth0 -s 1514 -Z root  port 5500


Proof of a silent discard will be seen in   /opt/rsa/am/server/logs/imsTrace.log   

If Logging is set to verbose, Source IP address of unknown agent will be listed in error like this:

2014-03-07 09:55:21,121, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (AgentAccessSQL.java:130), trace.com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql, ERROR, PACEC81.credito.bcp.com.pe,,,,Unable to lookup class com.rsa.authmgr.internal.admin.agentmgt.dal.Agentwith ip address: 192.168.1.5

To increase the log Trace level to verbose login to the Security Console ? Setup ? System Settings.  Then click Logging.  Select Primary and/or replica.  Set Trace level to verbose.

CauseA silent discard is a dropped authentication request with no entry in the Real Time Authentication Monitor or Authentication Activity Report.  In AM 8, unknown authentication agents werel be silently discarded.  This is still true as of Q1 2014 with AM 8.0.7 and AM 8.1.0, but may change in the future.
Silent discard can also occur when the AM 8.x Server does a reverse name lookup nslookup <ip address> of the Agent IP address and a name different from the configured agent name (including no name) is returned from DNS or /etc/hosts  - This should be fixed in AM 8.0 P8.
ResolutionIf no authentication agent exists - create one.
If agent exists but you still get silent discards, verify that:
 1. The IP address is correct
 2. Agent is not disabled
 3. Agent Name is spelled correctly - compare with reverse DNS lookup of IP, if nslookup <IP_address>  returns a name different then you have in Authentication Agent, either fix name resolution or change the name in the Security Console
 4. You may need to delete and re-create the Authentication Agent
If this is a RADIUS client, you may need to regenerate the node secret for the RADIUS Server entry, or the RADIUS Client's associated Agent host.  RADIUS silent discards can be seen in RADIUS client statistics.
Legacy Article IDa64464

Attachments

    Outcomes