000035915 - Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures

Document created by RSA Customer Support Employee on Sep 21, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035915
Applies ToRSA Product Set:  SecurID Access
RSA Product/Service Type: Authentication Manager, Identity Router (IDR)
IssueAfter following the steps to Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service the Platform > Authentication Manager > Test Connection indicates a failure communicating from the identity router (IDR) to the RSA Authentication Manager.
CauseThere are several possible causes, such as:
  1. An authentication agent name configured in Platform > Authentication Manager > Connection Settings that does not match the agent name configured in Authentication Manager.
  2. The IDR cannot resolve the Authentication Manager hostname or the network is blocking the SecurID 5500 TCP traffic.
  3. The sdconf.rec file from the Authentication Manager contains invalid certificate data. 
ResolutionHover over the test failure in the Admin Console UI to see error details:
  1. If error message is The agent name entered is not defined in the Authentication Manager, confirm that the authentication agent name configured on the SecurID Access side is an exact match of the agent name configured on the Authentication Manager.  Also confirm that Authentication Manager replication is working (that is, all replicas also have the IDR agent name in their list of agents).
  2. If error message is Cannot reach the Authentication Manager with the specified host address, confirm that the IDR can resolve the Authentication Manager hostname.  Access SSH for Identity Router Troubleshooting and verify name resolution with nslookup: 

nslookup <Authentication Manager fully qualified hostname>

  1. If name resolution is not a problem, then view the IDR's /var/log/symplified/symplified.log from the Administration Console UI or from a downloaded log bundle to see if a problem is logged.
  2. Verify that nothing is blocking traffic between the IDR and Authentication Manager.  Running a  wget command should successfully connect and return data:

wget --no-check-certificate --bind-address <IDR management IP> https://<AM IP>

  1. See article 000035849 - RSA SecurID Access Authentication Manager Test Connection Fails to check if there is a problem with the sdconf.rec Authentication Manager root certificate.
  2. If the error message is Cannot connect to the Authentication Manager due to unknown error and/or the IDR's symplified.log is not providing enough information please contact RSA Customer Support and reference this article.