000011960 - Lookup authentication agent by IP address xxx.xxx.xxx.xxx

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011960
Applies ToRSA Authentication Manager 7.1
RSA Appliance 3.0
IssueUser ID = SYSTEM
Authentication agent not found
Time          Activity Key           Description                                 Reason                     User         Agent      Server Node      Client         
                                                                                                           ID                      IP               IP             
2010-12-13    Lookup Authentication  Lookup authentication agent by IP address   Authentication agent not   SYSTEM       N/A      N/A             
08:32:39.547  agent                  ?                             found                                                                               

The Agent and Client IP fields are listed as "N/A" and the User ID is listed as "SYSTEM" , however the description field correctly identifies that an authentication has been sent from a device with an IP address of

An authentication has been sent from a device where the Source IP address (which could be seen in a network trace) cannot be found as an IP address of any known Authentication Agent in the RSA Authentication Manager 7.1 system (the system will look both at the IP address field for the agent and any Alternate IP Addresses listed.   

The User ID field cannot be interpreted (as the data packet is encrypted) and so shows up as "SYSTEM"


The first thing to consider is whether the IP address ("" in this example) is a valid address, this might be a hack attempt from a device which should not be on your network!

If the address is valid then you should either add a new Authentication Agent to your RSA Authentication Manager 7.1 or identify that it should be an existing agent but is coming from a different IP address than what was expected (this maybe due to DHCP, someone manually changing and IP address, DNS having a wrong entry or maybe just a mis-type somewhere)

Legacy Article IDa53184