000025554 - New PIN rejected on first attempt in RSA ACE/Agent 5.0 or Agent based on 5.0 API

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025554
Applies ToRSA ACE/Agent 5.0 API
RSA ACE/Server
IssueNew PIN rejected on first attempt in RSA ACE/Agent 5.0 or Agent based on 5.0 API
The second authentication attempt works
All subsequent authentication attempts work
This may also happen in Next Tokencode mode
CauseThis is a very rare scenario. If the authentication happens shortly after the Agent and Server are first upgraded or installed and the load balancing was taking place and there are multiple routes with NAT to the ACE/Server, it is possible for the IP header of the authentication and New PIN packets to be different. If this occurs, the ACE/Server will reject it. By the time the user tries again, the load balancing will be complete and all IP headers will be the same.
ResolutionTo correct this issue, reauthenticate.
Legacy Article IDa1722

Attachments

    Outcomes