000034664 - A newly configured RSA SecurID Access Identity Router is in Inactive state in the Administration Console

Document created by RSA Customer Support Employee on Jan 13, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034664
Applies ToRSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router
Issue 
CauseTypical causes include the following:
  • The IDR is correctly configured and can communicate with the Access Console.  However, it does take a while for the initial setup sequence to complete between the IDR and the Access Console.  The time this will take to complete is dependent on the amount of data that must be transferred between the two devices and network latency.
  • There is a configuration issue that is preventing the IDR from successfully connecting to the Access Console.
  • There is a network issue preventing the IDR and the Access Console from communicating
ResolutionCheck the IDR's Network Diagnostics to see if the IDR is able to communicate with the Access Console.   Refer to the article on how to view network diagnostics on an Identity Router for instructions.
  • If the IDR can communicate with the Access Console, the network diagnostics will show:
Secure Connection (tun0)
IP: <ip-address>
Mask: 255.255.255.255
Gateway: <gateway-ip>
Server: <server-ip-address>:<server-port>
Connection State: Connected
Status: Up

  • If the IDR is still Inactive in the Access Console, the IDR and the console may just need more time to complete their initial setup sequence.
  • If the IDR cannot communicate with the Access Console, the network diagnostics will indicate an issue.  For example:
Secure Connection (tun0)
IP: null
Mask: null
Gateway: null
Server: <server-ip-address>:<server-port>
Connection State: Not connected. Cannot connect to the hosted service.
Status: Down

To troubleshoot configuration, systematically check each item as follows:
  1. If you have not done so already, download and complete the current version of either the RSA SecurID Access SSO Agent Solution Architecture Workbook - US Region or the RSA SecurID Access SSO Agent Solution Architecture Workbook - EMEA Region for the region where RSA hosts the Cloud component of your deployment (currently either US or EMEA).  Workbooks are available from RSA SecurID Access Downloads page (maintenance contract required).  The region for your deployment can be determined from the URL you use to login to the Access Console:
  • When completing the workbook, use the spreadsheet tab that best describes the architecture of your deployment (that is, one IDR, IDR with standby, HA, HA with Single Standby, etc.).  
  • Enter your deployment-specific data only into the pale yellow cells.  
  • The items that must be configured for RSA SecurID Access will be automatically generated in the bottom half of the spreadsheet page, under the heading Your Summary, based on the data you enter into the yellow cells.  It is therefore vital that you ensure the data you enter into the yellow cells is 100% correct.
  1. Step through the tasks given in the Setup Checklist for the SSO Agent and Identity Assurance, starting at Task 1 and completing all tasks, up to and including, the task to "install and configure the identity router."  Compare what you have configured to the values specified under Your Summary in the RSA SecurID Access SSO Agent Solution Architecture Workbook that you completed.
  2. After making any configuration adjustments that may be necessary, try once again to connect the Identity Router to the Administration Console.
If the above does not resolve the issue, some additional steps that can be taken.  These are:
  • Check the IDR's Network Diagnostics again to see if there has been any change.  If the status is now Connected or Connecting you may just need to wait a while longer for the IDR to show as Active in the Access Console.
  • Contact your network administrators and your ISP to discuss any issues that may be preventing connectivity.  Check gateway, firewall (that all ports listed in the Workbook under Your Summary are open), NAT, DNS (configured as specified in Workbook Your Summary), etc .
  • Check the RSA SecurID Suite Service Notifications page to ensure you haven't missed any downtime notifications for the Cloud service that may be impacting your deployment. 
  • Generate and Download an Identity Router Log Bundle, and inspect it for event messages that may indicate the cause of the problem.  Click Contents of Identity Router Log Bundle to view a description in the online help of the major files in the bundle.
  • Contact RSA Customer Support for assistance if required. Support may ask you to grant RSA Customer Support access to Your account in the Access Console for an appropriate period of time, if it has not already been granted.
Notes
  • RSA strongly recommends that you Follow the RSA SecurID Suite Service Notifications page and check the Inbox option, to be emailed automatically by RSA about upgrades, planned maintenance, outages and anything else that may affect the service.
  • When registration of a new IDR is failing, there is no benefit when you have problems to delete the IDR object from the Access Console.  You can, if you need to, delete the IDR's VM image from your VMWare server and create a new one, and you can go back into the Access Console and generate a new registration code to try again with the new VM image.  Deleting an IDR from the Access Console should not be done unless you have been advised to do so by RSA Support.

Attachments

    Outcomes