Troubleshooting Identity Router Issues

Document created by RSA Information Design and Development on Jul 13, 2016Last modified by RSA Information Design and Development on Jul 26, 2019
Version 40Show Document
  • View in full screen mode

Use the Identity Router Setup Console Diagnostics > Troubleshooting page to troubleshoot identity router issues.

Enable Emergency SSH

You can use Secure Shell (SSH) to access the command line and troubleshoot problems related to your identity router. You access SSH using the idradmin account. Typically you should configure SSH in the Cloud Administration Console as described in Access SSH for Identity Router Troubleshooting. If the identity router is unable to connect to the Cloud Administration Console (for example, during identity router setup), you can enable emergency SSH on the identity router using the Identity Router Setup Console.

Enabling SSH in the Identity Router Setup Console provides the same functionality as accessing SSH in the Cloud Administration Console with one exception. In the Cloud Administration Console, you can limit connectivity to the identity router by specifying source networks in the SSH firewall rule. In the Identity Router Setup Console, any network component can access the identity router when you enable SSH. Because of this, enable emergency SSH only for a specified period of time and then disable it.

The published SSH firewall setting in the Cloud Administration Console overrides the SSH setting in the Identity Router Setup Console. For example, suppose an administrator enables emergency SSH in the Identity Router Setup Console. Then another administrator removes the SSH firewall setting on the identity router in the Cloud Administration Console and publishes the changes. The Identity Router Setup Console disables emergency SSH.

RSA has verified compatibility with these SSH clients:

  • Cygwin:mintty: 2.7.9 (OpenSSH 7.5p1, OpenSSL 1.0.2k)

  • MobaXterm: 10.2

  • PuTTY: 0.70

  • JSch: 0.1.54

Note:  You cannot execute su root or su ssouser.

Before you begin 

You must have sign-in credentials for the Identity Router Setup Console.

Procedure 

  1. Open a web browser and do one of the following:
    • For Amazon cloud-based identity routers, go to https://<identityrouterIP>:9786/setup.jsp, where <identityrouterIP> is the private IP address of the identity router.
    • For VMware and Hyper-V identity routers, go to https://<identityrouterIP>/setup.jsp, where <identityrouterIP> is the IP address of the identity router management interface.
  2. Sign into the Identity Router Setup Console.
  3. Click Diagnostics> Troubleshooting, and select Enabled under SSH Configuration.

    Disable SSH when you complete your troubleshooting.

  4. Sign in to the same network where the identity router is running.
  5. To access the identity router using a supported SSH client, enter:

    ssh idradmin@<idr_managementipaddress>

Enable Emergency Debug Logging

You can use the Identity Router Setup Console to enable debug logging for in-depth troubleshooting if the identity router is unable to connect to the Cloud Authentication Service. After the identity router is registered and connected to the Cloud Authentication Service, use the Cloud Administration Console to enable debug logging. For instructions, see Set the Identity Router Logging Level.

Note:  RSA recommends that you disable debug logging as soon as troubleshooting is complete.

Procedure 

  1. In the Identity Router Setup Console, click Diagnostics > Troubleshooting.

  2. Select Enabled under Log Settings and Collection.

    Debug logging begins immediately after you enable this feature, and the Cloud Administration Console displays the identity router debug status as DEBUG.

If you change and save the Log Level setting in the Cloud Administration Console, the change overwrites this setting in the Identity Router Setup Console.

Generate and Download the Identity Router Log Bundle

You can configure collection of identity router logs, download the files to your local file system in a zip file, and use the data for investigating problems on the identity router. The default log level is STANDARD. You can set the level as DEBUG in the Cloud Administration Console or Identity Router Setup Console. Typically, you set the level in the Cloud Administration Console as described in Set the Identity Router Logging Level. If you cannot connect to the Cloud Administration Console, you can set the debug level in the Identity Router Setup Console. For a list of files in the log bundle, see Contents of Identity Router Log Bundle.

Note:   To save an existing log bundle, be sure to download it from the identity router and save it to your local file system before you generate a new bundle.

Before you begin 

  • You must be a Super Admin in the Cloud Administration Console.
  • The identity router must be installed and configured to connect to resources on your network. For more information, see Deploying an Identity Router.

Procedure 

  1. Open a web browser and do one of the following:
    • For Amazon cloud-based identity routers, go to https://<identityrouterIP>:9786/setup.jsp, where <identityrouterIP> is the private IP address of the identity router.
    • For VMware and Hyper-V identity routers, go to https://<identityrouterIP>/setup.jsp, where <identityrouterIP> is the IP address of the identity router management interface.
  2. In the Identity Router Setup Console, click Diagnostics > Troubleshooting.
  3. Click Generate New Log Bundle.

    The log bundle is generated on the identity router. The log bundle is available for download until one of the following occurs:

    • You generate a new log bundle.
    • You delete the log bundle.
    • It is automatically removed after seven days.
  4. To download a copy of the log bundle, click Download Logs.
  5. Save the file to your local file system.

 

 

You are here
Table of Contents > Troubleshooting > Troubleshooting Identity Router Issues

Attachments

    Outcomes