This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
KennethKirchner
Beginner
Beginner
‎2017-02-22 01:15 PM

What are these log errors coming from my Cisco ACS server?

Date & Time: 2017-02-22 10:32:23.198
Log Level: ERROR
Activity Key: Authentication log request
Description: Log request received from agent “huacnmacs03.new.mil” with IP address “x.x.x.35” in security domain “RCC”
Action Result Key: Failure
Result Key: AUTH_LOG_SYNTAX_ERROR
Result: Syntax error
User ID: SYSTEM
Agent Name: huacacs03.new.mil
Agent IP: x.x.x.35
Agent Security Domain: RCC
Authentication Method: N/A
Policy Expression: N/A
Instance Name: huac-rsa.new.mil
Client IPv4: x.x.x.35
Server Node IP: x.x.x.32

 

I see these log messages in my RSA server quite a bit. Is there some way to prevent them from occuring? We are running ACS v5.8 and AM 8.2.

Labels (1)
Labels
0 Likes
Reply
3 Replies
EdwardDavis
Employee
Employee
‎2017-02-22 01:41 PM

That can sometimes be tricky to solve

 

a) is the Cisco using radius,and sending both a radius log request as well as an authentication request to the RSA server ?

then the log request secret is not correct. can be stopped by re-configuring the Cisco side

 

b) other reasons can be internal to RSA server and the way it handles bad auths

 

When the user logs into agent, a 'requestDatagram' is sent to the server from the agent. In this flow, when the user credentials are not correct, before logging the 'InvalidLogRequest' the server will check if the 'Datagram' received is in proper format. Due to some reason it is not sent in proper format at times, so the server is logging this 'SYNTAX ERROR' message in the log. The field responsible for the issue is 'LogCode'. This field is set to '4' (which specifies syntax error) sometimes, hence the SYNTAX ERROR message is logged.

 

 

So, these things below have been successful in the past on clearing this up, [but it just might be normal]

-Try to do an automatic re-balance (sec console, access, authentication agents, auth manager contact list...)

-make sure you are on the latest patch (we have 8.2 patch 4 now)

-reboot all RSA servers

0 Likes
Reply
KennethKirchner
Beginner
Beginner
In response to EdwardDavis
‎2017-02-22 01:51 PM

That is a negative on the a) option. The ACS server only queries the RSA server as a SecurID source.

 

Would a re-balance matter if we only had 1 RSA server? (Not even a replica at the moment, but soon!)

 

I believe we are on 8.2 Patch 2, so I will look into getting on to P4.

 

Thanks!

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to KennethKirchner
‎2017-02-22 02:16 PM

re-balance shouldn't do anything on a single server, but it still does config checks and whatnot

 

This may be the result of bad auth attempts or bad packets on port 5500/udp (it happens, normal stuff) coming from the Cisco and we log a certain error code and it throws that specific error which is hard to interpret by itself.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.