|Applies To||RSA ClearTrust 220.127.116.11|
RSA ClearTrust Agent 18.104.22.168
|Issue||How to troubleshoot network problems with RSA ClearTrust Agent|
When RSA ClearTrust Agent is started, the following two messages are displayed in DBWIN32:
- WARNING: Unable to contact Key Server, Single Sign-On not initialized
- 190: Once the Key Server is up, single sign on will be enabled
The above two messages are generated when the ClearTrust Web Agent cannot communicate with the ClearTrust Key Server/Dispatcher
The following messages are displayed in DBWIN32 a few minutes after the Agent stops responding to clients:
- 345: *** socket error while talking to ClearTrust server dispatcher at example.domain.com:5608 ***
- 345: Error connecting to key server example.domain.com:5606
The above two messages are generated when the ClearTrust Web Agent lost an already established connection with the ClearTrust Key Server/Dispatcher.
|Resolution||These are some basic troubleshooting notes:|
1. The Web Agent messages can be displayed with the "DBWIN32.exe" tool, located in the "C:\Securant\SecCtrl\IIS Plugin\util" subdirectory of the ClearTrust Web Agent host. This tool is only installed if you do choose a full install of the Agent.
2. Check the network status (e.g. intermittent failures, network link failure, faulty hardware, high network utilization, or routing problems), using:
- A protocol analyzer
- Traceroute (UNIX) or tracert (Windows)
- netstat -naP tcp (Solaris) or netstat -na (Windows)
3. Verify the FQDN used in the ClearTrust Web Agent configuration file (default.conf located in the "\Securant\SecCtrl\IIS Plugin\Default_Web_Site\conf" subdirectory) is being resolved to the correct IP address of the ClearTrust backend servers. Use nslookup in interactive mode to verify that both DNS resolution and reverse DNS resolution are working properly.
4. Make sure the correct ports for the ClearTrust backend servers are being used in the default.conf file. The default ports are as follows:
- Dispatcher --> 5608
- Key Server --> 5606
5. Adjust the network timeout as necessary using the "securecontrol.plugin.dispatcher_timeout" parameter in default.conf. The default value is 10 seconds.
6. If there is a Firewall, Proxy, or NAT device blocking the communication between the ClearTrust Web Agent and the ClearTrust backend servers, verify the following:
- That the Firewall policies allow the communication to take place
- For NAT, that you are using the correct translated addresses
- For information about using cookies, see the solution titled Is it possible for RSA ClearTrust to operate when blocked by a firewall or when cookies are disabled?
|Legacy Article ID||a13939|