000035915 - Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures

Document created by RSA Customer Support Employee on Sep 21, 2018Last modified by RSA Customer Support Employee on Feb 7, 2020
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000035915
Applies ToRSA Product Set:  SecurID Access
RSA Product/Service Type: Authentication Manager, Identity Router (IDR)
IssueAfter following the steps to Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service the Platform > Authentication Manager > Test Connection indicates a failure communicating from the identity router (IDR) to the RSA Authentication Manager.
CauseThere are several possible causes for IDR > RSA Authentication Manager test connection failures.  These include:
  • An authentication agent name configured in Platform > Authentication Manager > Connection Settings that does not match the agent name configured in RSA Authentication Manager.
  • The IDR cannot resolve the RSA Authentication Manager host name or the network is blocking the SecurID 5500 TCP traffic.
  • The sdconf.rec file from the RSA Authentication Manager contains invalid certificate data. 
  • An incorrect sdconf.rec file was uploaded into the Administration Console's Platform > Authentication Manager > Connection Settings.
  • IDR cannot resolve its own host name.
ResolutionHover over the test failure in the Admin Console UI to see error details:
  1. If error message is The agent name entered is not defined in the Authentication Manager, confirm that the authentication agent name configured on the SecurID Access side is an exact match of the agent name configured on the RSA Authentication Manager.  Also confirm that RSA Authentication Manager replication is working (that is, all replicas also have the IDR agent name in their list of agents).
  2. If error message is Cannot reach the Authentication Manager with the specified host address, confirm that the IDR can resolve the RSA Authentication Manager host name.  Access SSH for Identity Router Troubleshooting and verify name resolution with nslookup: 

nslookup <Authentication Manager fully qualified hostname>


  1. If name resolution is not a problem, then view the IDR's /var/log/symplified/symplified.log from the Administration Console UI or from a downloaded log bundle to see if a problem is logged.
  2. Verify that nothing is blocking traffic between the IDR and RSA Authentication Manager.  Running a  wget command should successfully connect and return data:

wget --no-check-certificate --bind-address <IDR management IP> https://<AM IP>


  1. See article 000035849 - RSA SecurID Access Authentication Manager Test Connection Fails to check if there is a problem with the sdconf.rec Authentication Manager root certificate.
  2. If the error message is Cannot connect to the Authentication Manager due to unknown error and the IDR's symplified log shows errors like below, please ensure that a valid sdconf.rec file (not the AM_Config.zip file that contains it, for example) was uploaded to the Administration Console's Platform > Authentication Manager > Connection Settings.

2019-12-16/20:22:30.621/UTC [Thread-343743] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - Exception unmarshalling type: java.lang.Class Exception: Content is not allowed in prolog.
019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - {RealmConfig.updateNewProtocolInfo} Invalid config file Invalid bootstrap data
2019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Invalid configuration fileInvalid bootstrap data
2019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.nga.sidproxy.AuthSessionFactoryManager[224] - unable to connect to the AM server


  1. If the IDR's symplified.log shows an error like the one below (where IDRHOSTNAME is the IDR's proxy or single-NIC interface hostname), try adding a static DNS entry that maps the IDR hostname to its ip-address. This can be done from the Cloud Administration Console > Platform > Identity Router > Edit > Settings > Static DNS Entries.

2019-11-08/16:29:28.607/UTC [pool-4-thread-11] ERROR com.rsa.nga.sidproxy.SidAuthentication[265] - Failed to verify session factory com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: the current host is unknownIDRHOSTNAME: IDRHOSTNAME: Name or service not known IDRHOSTNAME: IDRHOSTNAME: Name or service not known


  1. If the error message is Cannot connect to the Authentication Manager due to unknown error and the IDR's symplified.log is not providing enough information please contact RSA Customer Support and reference this article.

Attachments

    Outcomes