000020042 - How to troubleshoot network problems with RSA ClearTrust Agent

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000020042
Applies ToRSA ClearTrust
RSA ClearTrust Agent
IssueHow to troubleshoot network problems with RSA ClearTrust Agent
When RSA ClearTrust Agent is started, the following two messages are displayed in DBWIN32:

- WARNING: Unable to contact Key Server, Single Sign-On not initialized
- 190: Once the Key Server is up, single sign on will be enabled

The above two messages are generated when the ClearTrust Web Agent cannot communicate with the ClearTrust Key Server/Dispatcher
The following messages are displayed in DBWIN32 a few minutes after the Agent stops responding to clients:

- 345: *** socket error while talking to ClearTrust server dispatcher at example.domain.com:5608 ***
- 345: Error connecting to key server example.domain.com:5606

The above two messages are generated when the ClearTrust Web Agent lost an already established connection with the ClearTrust Key Server/Dispatcher.
ResolutionThese are some basic troubleshooting notes:

1. The Web Agent messages can be displayed with the "DBWIN32.exe" tool, located in the "C:\Securant\SecCtrl\IIS Plugin\util" subdirectory of the ClearTrust Web Agent host. This tool is only installed if you do choose a full install of the Agent.

2. Check the network status (e.g. intermittent failures, network link failure, faulty hardware, high network utilization, or routing problems), using:
 - A protocol analyzer
 - Traceroute (UNIX) or tracert (Windows)
 - Ping
 - netstat -naP tcp (Solaris) or netstat -na (Windows)

3. Verify the FQDN used in the ClearTrust Web Agent configuration file (default.conf located in the "\Securant\SecCtrl\IIS Plugin\Default_Web_Site\conf" subdirectory) is being resolved to the correct IP address of the ClearTrust backend servers. Use nslookup in interactive mode to verify that both DNS resolution and reverse DNS resolution are working properly.

4. Make sure the correct ports for the ClearTrust backend servers are being used in the default.conf file. The default ports are as follows:

 - Dispatcher    --> 5608
 - Key Server   --> 5606

5. Adjust the network timeout as necessary using the "securecontrol.plugin.dispatcher_timeout" parameter in default.conf. The default value is 10 seconds.

6. If there is a Firewall, Proxy, or NAT device blocking the communication between the ClearTrust Web Agent and the ClearTrust backend servers, verify the following:

 - That the Firewall policies allow the communication to take place
 - For NAT, that you are using the correct translated addresses
 - For information about using cookies, see the solution titled Is it possible for RSA ClearTrust to operate when blocked by a firewall or when cookies are disabled?
Legacy Article IDa13939