Silent discard of authentication requests in RSA Authentication Manager 8.0 and 8.1; Authentication fails without log entry
Originally Published: 2014-03-10
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0.x, 8.1.0
Issue
Authentication requests are silently discarded, or dropped, with nothing displayed in the Real Time Authentication Monitor or Authentication Activity Report.
Running tcpdump, Wireshark or sniffer network packet capture shows authentication requests set from the agent on 5500 UDP, but there are no replies coming back out of the Authentication Manager server.
See article 000016395 - Using tcpdump to troubleshoot authentication issues with RSA Authentication Manager 8.x for instructions using the tcp dump command.
Following the steps in the article, run the command ./tcpdump -i eth0 -s 1514 -Z root port 5500.
In addition, proof of a silent discards will be seen in the /opt/rsa/am/server/logs/imsTrace.log
If logging is set to verbose, (see 000018205 - How to turn on/off verbose offline authentication logging), the source IP address of the unknown agent will be listed as an error. For example,
2014-03-07 09:55:21,121, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (AgentAccessSQL.java:130),
trace.com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql,
ERROR, PACEC81.credito.bcp.com.pe,,,,Unable to lookup class
com.rsa.authmgr.internal.admin.agentmgt.dal.Agentwith ip address: 192.168.1.5
Cause
In Authentication Manager 8.0 and the base version of 8.1, auth requests from unknown authentication agents were silently discarded.
Silent discards can also occur when the Authentication Manager 8.x server does a reverse name lookup (for example, nslookup <IP_address>) of the agent's IP address and a name that is different from the configured agent name (including no name) is returned from DNS or /etc/hosts. This should be fixed in Authentication Manager 8.0 patch 8.
Resolution
If the agent exists but you still get silent discards, verify that:
- The IP address is correct.
- The agent is not disabled
- The gent name is spelled correctly. Compare with reverse DNS lookup of the IP address. If nslookup <IP_address> returns a name different then what is listed for the agent, either fix name resolution or change the name in the Security Console.
- You may need to delete and re-create the agent.
- If this is a RADIUS client, you may need to regenerate the node secret for the RADIUS server entry, or the RADIUS client's associated agent. RADIUS silent discards can be seen in RADIUS client statistics.
Related Articles
How to call a stored procedure from the Generic Database AFX Connector in RSA Identity Governance & Lifecycle Number of Views Verid - Improve accuracy of displayed pass/fail rate statistics per question type in Question Summary report Number of Views Functionality requiring the retrieval of encrypted passwords is failing after a database restore in RSA Identity Governanc… Number of Views RSA Identity Governance & Lifecycle XARecoveryModule generates an XAException when attempting to roll back changes in fail… Number of Views Error "com.rsa.ims.security.keymanager.sys.MissingSystemKeysException: System fingerprint encrypted key is missing" on RS… Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server How to troubleshoot Oracle database ORA-04030 errors in RSA Identity Governance & Lifecycle RSA Authentication Manager Upgrade Process Microsoft SQL Server Collectors can no longer connect to the SQL Server database after upgrade to Microsoft SQL Server 201…
Don't see what you're looking for?
