|Applies To||RSA Product Set: SecurID Access|
|Issue||Connectivity between the identity router (IDR) and its SecurID Access cloud tenant is being questioned.|
|Resolution||A helpful troubleshooting step is to try accessing the Secure Connector health.API URL. Do this from a browser on the same subnet as the IDR proxy interface or directly from the IDR using the wget command.|
The URL is of the form <tenant id>.auth.securid.com/secure-connector-fe/health.api, where <tenant id> is the value that is initially set in the Administrator Console under My Account > Company Settings > Company Information tab > Company ID field.
The following is an example wget command from the IDR command line. The --bind-address switch should specify the IDR's proxy IP address. Connection OK is returned when successful.
See Access SSH for Identity Router Troubleshooting to access the IDR command line (Alternatively, SSH can be enabled on the IDR from its Setup page: Enable Emergency SSH):
[firstname.lastname@example.org ~]$ wget --no-check-certificate --bind-address <IDR Proxy IP> https://mycompany.auth.securid.com/secure-connector-fe/health.api
--2019-01-09 21:58:28-- https://mycompany.auth.securid.com/secure-connector-fe/health.api
Resolving mycompany.auth.securid.com... 220.127.116.11
Connecting to mycompany.auth.securid.com|18.104.22.168|:443... connected.
HTTP request sent, awaiting response... 200
Length: 13 [text/plain]
Saving to: `health.api.1'
100%[==========================================================>] 13 --.-K/s in 0s
2019-01-09 21:58:30 (2.70 MB/s) - `health.api.1' saved [13/13]
[email@example.com ~]$ more health.api
The above wget command checks HTTPS (and also TCP and IP level) connectivity, from the identity router to the Current Cloud IP address only. The Cloud Authentication Service Connection IP addresses for each identity router are listed on the identity router's status page in the Cloud Administration Console.
To check connectivity to any of the Alternate Cloud IP addresses listed on the identity router's status page, use the following command instead of wget:
openssl s_client -connect <alternate-cloud-ip-address>:443
If a connection to any Current or Alternate Cloud IP connection is failing, check the TLS connection handshake by adding the -state parameter as follows:
openssl s_client -connect <cloud-ip-address>:443 -state
Cloud Authentication Service IP addresses intentionally do not respond to ICMP ECHO, so it is not possible to get a response if you ping a Cloud IP. Contact RSA Support for further troubleshooting assistance if required.