|Resolution||Check the IDR's Network Diagnostics to see if the IDR is able to communicate with the Access Console. Refer to the article on how to view network diagnostics on an Identity Router for instructions.|
- If the IDR can communicate with the Access Console, the network diagnostics will show:
Secure Connection (tun0)
Connection State: Connected
- If the IDR is still Inactive in the Access Console, the IDR and the console may just need more time to complete their initial setup sequence.
- If the IDR cannot communicate with the Access Console, the network diagnostics will indicate an issue. For example:
Secure Connection (tun0)
Connection State: Not connected. Cannot connect to the hosted service.
To troubleshoot configuration, systematically check each item as follows:
- If you have not done so already, download and complete the current version of either the RSA SecurID Access SSO Agent Solution Architecture Workbook - US Region or the RSA SecurID Access SSO Agent Solution Architecture Workbook - EMEA Region for the region where RSA hosts the Cloud component of your deployment (currently either US or EMEA). Workbooks are available from page (maintenance contract required). The region for your deployment can be determined from the URL you use to login to the Access Console:
- When completing the workbook, use the spreadsheet tab that best describes the architecture of your deployment (that is, one IDR, IDR with standby, HA, HA with Single Standby, etc.).
- Enter your deployment-specific data only into the pale yellow cells.
- The items that must be configured for RSA SecurID Access will be automatically generated in the bottom half of the spreadsheet page, under the heading Your Summary, based on the data you enter into the yellow cells. It is therefore vital that you ensure the data you enter into the yellow cells is 100% correct.
If the above does not resolve the issue, some additional steps that can be taken. These are:
- Step through the tasks given in the Setup Checklist for the SSO Agent and Identity Assurance, starting at Task 1 and completing all tasks, up to and including, the task to "install and configure the identity router." Compare what you have configured to the values specified under Your Summary in the RSA SecurID Access SSO Agent Solution Architecture Workbook that you completed.
- After making any configuration adjustments that may be necessary, try once again to connect the Identity Router to the Administration Console.
- Check the IDR's Network Diagnostics again to see if there has been any change. If the status is now Connected or Connecting you may just need to wait a while longer for the IDR to show as Active in the Access Console.
- Contact your network administrators and your ISP to discuss any issues that may be preventing connectivity. Check gateway, firewall (that all ports listed in the Workbook under Your Summary are open), NAT, DNS (configured as specified in Workbook Your Summary), etc .
- Check the page to ensure you haven't missed any downtime notifications for the Cloud service that may be impacting your deployment.
- Generate and Download an Identity Router Log Bundle, and inspect it for event messages that may indicate the cause of the problem. Click Contents of Identity Router Log Bundle to view a description in the online help of the major files in the bundle.
- Contact RSA Customer Support for assistance if required. Support may ask you to grant RSA Customer Support access to Your account in the Access Console for an appropriate period of time, if it has not already been granted.
- RSA strongly recommends that you Follow the page and check the Inbox option, to be emailed automatically by RSA about upgrades, planned maintenance, outages and anything else that may affect the service.
- When registration of a new IDR is failing, there is no benefit when you have problems to delete the IDR object from the Access Console. You can, if you need to, delete the IDR's VM image from your VMWare server and create a new one, and you can go back into the Access Console and generate a new registration code to try again with the new VM image. Deleting an IDR from the Access Console should not be done unless you have been advised to do so by RSA Support.