1. Review the SecurID Access and target application configuration to check for any errors.  The following resources may be useful:
   1. Integration Guides on RSA Link for "out of the box" applications.  Search the page to see if a specific guide is available for the application with which you are working.
   2. RSA SecurID Access Help.  Application, policy, authentication, IDR setup and other configuration guidance is given here.
   3. Product documentation for the application with which you are working.
   4. Check Cloud, IDR and network configuration against the values in your deployment's Solution Architecture Workbook.
2. Try the appropriate Troubleshooting steps for the issue.
3. Reproduce the issue while gathering troubleshooting data:
   1. Set the Identity Router Logging Level to DEBUG on all IDRs in your deployment.
   2. Start client tracing and logging:
      • If you are using a web browser to access the application, Start a Fiddler trace for that web browser.  Make sure decrypt mode is turned on in Fiddler.
      • If you are using a client to access the application, such as a RADIUS or VPN client, start any network tracing or logging facility that may be available in the client.
   3. If you are using RSA Authentication Manager, start the Authentication Activity monitor. 
   4. Test:  Reproduce the issue, and note the date, time and timezone of the attempt and the URL accessed.  Capture and save screenshot(s) of all errors displayed.
   5. Stop client tracing and logging:
      • If you ran a Fiddler trace, stop and save it.
      • If you were using a client application, stop and save all available data from its network trace and logging facilities.
   6. Set the Identity Router Logging Level back to Standard on all IDRs in your deployment.
   7. Save screenshots of the User Event Monitor.  Ensure the screenshots show all activity for the end user(s) when the problem was reproduced in step d. above, including both successes and failures where appropriate.  You will need to take multiple screenshots if the results span more than one page.
      • TIP:  Maximize your browser window, then adjust results per page in conjunction with your browser's zoom function to fit more data onto the screen, and thereby require less screenshots.  However, make sure the data in the screenshot is still large enough to read.
   8. Save a screenshot of the User Management page for all end user(s) you tested with when the problem was reproduced (step d. above)
   9. Generate and Download an Identity Router Log Bundle from all IDRs in your deployment.
   10. If you are using the RSA Authenticate app for step-up authentication, save the RSA Authenticate app logs from the mobile device used during the test. 
   11. Gather applicable third-party logs.  For example:
       1. Audit, application and system logs from the application you are trying to log in to.
       2. Identity source logs, such as Microsoft Active Directory Windows events.
4. Analyze the data gathered above to look for errors or unusual traffic.  Explore these items:
   • Event results in the User Event Monitor.  Note the UTC times of specific events for correlation to other logs.
   • Authentication Manager's Authentication Activity monitor events logged during the test (if applicable).
   • Fiddler or any client trace or log.
   • The Contents of Identity Router Log Bundle .  When the issue was reproduced, the authentication may have been sent to any IDR in your deployment (determined by your load balancer configuration) so all bundle logs must be reviewed.
   • The RSA Authenticate app logs from the mobile device used during the test (if applicable).
   • Third party logs.

RSA Support

• Description of the problem (expected versus actual, frequency, scope, etc), business impact and steps to reproduce.
• History of the problem, including:
  • Date and time (with timezone) of when the problem started
  • Application, network and configuration changes made before the problem started 
  • Any steps that have been taken to try to fix the problem
  • Date and time (with timezone) of IDR upgrades before and after the problem started
• Timezone set in the end users' devices (browser, mobile device, etc) so we can correlate captured data to RSA and other logs.
• Screenshots, URL(s) plus date and time (with timezone) when the issue was reproduced, as described (see step 3. above).
• User ID(s) of affected user(s) for the test that was done.
• Fiddler trace file or client trace and logs captured during the test done above
• All IDR bundle logs downloaded after the test done above
• If Authentication Manager is used:
  • Use the Authentication Activity report template to generate a report of all activity details for the test done above.
  • Current timezone set in your Authentication Manager deployment so that we can correlate the Authentication Manager's Authentication Activity events to the UTC-time events recorded by the Cloud Authentication Service. 
• If the RSA Authenticate app is used for step-up authentication, the RSA Authenticate app logs.
• Grant RSA Customer Support Access to Your Account and provide the configured name of the affected application(s) or authentication client(s).  If that is not possible, then please provide screenshots of the relevant configuration detail screens(s) in the Cloud Authentication Service (Application, Authentication Client, Policy, etc), showing the configuration when the problem occurs.

Third Party Support

• It is strongly recommended to do all the steps above in the order shown.  However, you may skip any item that is not possible in your situation.  
• Contact RSA Customer Support if you need help with these troubleshooting steps or have questions.