Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures
2 years ago
Originally Published: 2018-01-12
Article Number
000041388
Applies To
RSA Product Set:  SecurID Access
RSA Product/Service Type: Authentication Manager, Identity Router (IDR)
Issue
After following the steps to Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service , then going to Platform > Authentication Manager > Test Connection indicates that there is a failure communicating from the identity router (IDR) to RSA Authentication Manager.
Cause
There are several possible causes for IDR to RSA Authentication Manager test connection failures. These include:
  • An authentication agent name configured in Platform > Authentication Manager > Connection Settings that does not match the agent name that is configured in RSA Authentication Manager.
  • The IDR cannot resolve the RSA Authentication Manager hostname, or the network is blocking the SecurID 5500 TCP traffic.
  • The sdconf.rec file from the RSA Authentication Manager contains invalid certificate data. 
  • An incorrect sdconf.rec file was uploaded into the Administration Console's Platform > Authentication Manager > Connection Settings.
  • IDR cannot resolve its own hostname.
  • The sdconf.rec was not successfully published to the IDR.
Resolution
Hover over the test failure in the Admin Console UI to see error details:
  1. If the error message is The agent name entered is not defined in the Authentication Manager, confirm that the authentication agent name that is configured on the RSA SecurID Access side is an exact match of the agent name that is configured on the RSA Authentication Manager. Also confirm that RSA Authentication Manager replication is working (that is, all replicas also have the IDR agent name in their list of agents).
  2. If the error message is Cannot reach the Authentication Manager with the specified host address, confirm that the IDR can resolve the RSA Authentication Manager hostname by following Access SSH for Identity Router Troubleshooting and verify name resolution with nslookup: 
nslookup <RSA Authentication Manager fully qualified hostname>
  1. If name resolution is not a problem, then view the IDR's /var/log/symplified/symplified.log from the Administration Console UI or from a downloaded log bundle to see if a problem is logged.
  2. Verify that nothing is blocking traffic between the IDR and RSA Authentication Manager. Running a wget command should successfully connect and return data:
wget --no-check-certificate --bind-address <IDR management IP> https://<RSA Authentication Manager IP address>
  1. See article 000035849 - RSA SecurID Access Authentication Manager Test Connection Fails to check if there is a problem with the sdconf.rec Authentication Manager root certificate.
  2. If the error message is Cannot connect to the Authentication Manager due to unknown error and the IDR's symplified log shows errors like what is shown below, ensure that a valid sdconf.rec file (not the AM_Config.zip file that contains it, for example) was uploaded to the Administration Console's Platform > Authentication Manager > Connection Settings:
2019-12-16/20:22:30.621/UTC [Thread-343743] FATAL com.rsa.authagent.authapi.v8.logger.b[?] - Exception unmarshalling type: java.lang.Class Exception: Content is not allowed in prolog.
019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - {RealmConfig.updateNewProtocolInfo} Invalid config file Invalid bootstrap data
2019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Invalid configuration fileInvalid bootstrap data
2019-12-16/20:22:30.622/UTC [Thread-343743] ERROR com.rsa.nga.sidproxy.AuthSessionFactoryManager[224] - unable to connect to the AM server
  1. If the IDR's symplified.log shows an error like the one below (where IDRHOSTNAME is the IDR's proxy or single-NIC interface hostname), try adding a static DNS entry that maps the IDR's portal hostname to its IP address. This can be done from the Cloud Administration Console (Platform > Identity Router > Edit > Settings > Static DNS Entries).
2019-11-08/16:29:28.607/UTC [pool-4-thread-11] ERROR com.rsa.nga.sidproxy.SidAuthentication[265] - Failed to verify session factory com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: the current host is unknownIDRHOSTNAME: IDRHOSTNAME: Name or service not known IDRHOSTNAME: IDRHOSTNAME: Name or service not known
  • If the IDR has two NICs:
  • If the IDR has a single NIC:
    • Add a static DNS entry that maps the IDR's portal hostname to its interface IP address. Include both the portal hostname FQDN and shortname (separated by a space) as the alias value.
  1. If the error message is Cannot connect to the Authentication Manager due to unknown error and the IDR's symplified.log is not providing enough information, contact RSA Customer Support and reference this article.
  2. If the IDR's symplified.log shows errors like sdconf.rec does not exist or sdconf.rec not found or unable to write sdconf.reccontact RSA Customer Support for assistance.

Related Articles

Trending Articles

Don't see what you're looking for?