SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

What are these log errors coming from my Cisco ACS server?

Date & Time: 2017-02-22 10:32:23.198
Log Level: ERROR
Activity Key: Authentication log request
Description: Log request received from agent “” with IP address “x.x.x.35” in security domain “RCC”
Action Result Key: Failure
Result: Syntax error
Agent Name:
Agent IP: x.x.x.35
Agent Security Domain: RCC
Authentication Method: N/A
Policy Expression: N/A
Instance Name:
Client IPv4: x.x.x.35
Server Node IP: x.x.x.32


I see these log messages in my RSA server quite a bit. Is there some way to prevent them from occuring? We are running ACS v5.8 and AM 8.2.

Labels (1)
3 Replies

That can sometimes be tricky to solve


a) is the Cisco using radius,and sending both a radius log request as well as an authentication request to the RSA server ?

then the log request secret is not correct. can be stopped by re-configuring the Cisco side


b) other reasons can be internal to RSA server and the way it handles bad auths


When the user logs into agent, a 'requestDatagram' is sent to the server from the agent. In this flow, when the user credentials are not correct, before logging the 'InvalidLogRequest' the server will check if the 'Datagram' received is in proper format. Due to some reason it is not sent in proper format at times, so the server is logging this 'SYNTAX ERROR' message in the log. The field responsible for the issue is 'LogCode'. This field is set to '4' (which specifies syntax error) sometimes, hence the SYNTAX ERROR message is logged.



So, these things below have been successful in the past on clearing this up, [but it just might be normal]

-Try to do an automatic re-balance (sec console, access, authentication agents, auth manager contact list...)

-make sure you are on the latest patch (we have 8.2 patch 4 now)

-reboot all RSA servers


That is a negative on the a) option. The ACS server only queries the RSA server as a SecurID source.


Would a re-balance matter if we only had 1 RSA server? (Not even a replica at the moment, but soon!)


I believe we are on 8.2 Patch 2, so I will look into getting on to P4.




re-balance shouldn't do anything on a single server, but it still does config checks and whatnot


This may be the result of bad auth attempts or bad packets on port 5500/udp (it happens, normal stuff) coming from the Cisco and we log a certain error code and it throws that specific error which is hard to interpret by itself.