What are these log errors coming from my Cisco ACS server?
|Date & Time:||2017-02-22 10:32:23.198|
|Activity Key:||Authentication log request|
|Description:||Log request received from agent “huacnmacs03.new.mil” with IP address “x.x.x.35” in security domain “RCC”|
|Action Result Key:||Failure|
|Agent Security Domain:||RCC|
|Server Node IP:||x.x.x.32|
I see these log messages in my RSA server quite a bit. Is there some way to prevent them from occuring? We are running ACS v5.8 and AM 8.2.
- cisco acs log
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- RSA SecurID Integration
That can sometimes be tricky to solve
a) is the Cisco using radius,and sending both a radius log request as well as an authentication request to the RSA server ?
then the log request secret is not correct. can be stopped by re-configuring the Cisco side
b) other reasons can be internal to RSA server and the way it handles bad auths
When the user logs into agent, a 'requestDatagram' is sent to the server from the agent. In this flow, when the user credentials are not correct, before logging the 'InvalidLogRequest' the server will check if the 'Datagram' received is in proper format. Due to some reason it is not sent in proper format at times, so the server is logging this 'SYNTAX ERROR' message in the log. The field responsible for the issue is 'LogCode'. This field is set to '4' (which specifies syntax error) sometimes, hence the SYNTAX ERROR message is logged.
So, these things below have been successful in the past on clearing this up, [but it just might be normal]
-Try to do an automatic re-balance (sec console, access, authentication agents, auth manager contact list...)
-make sure you are on the latest patch (we have 8.2 patch 4 now)
-reboot all RSA servers
That is a negative on the a) option. The ACS server only queries the RSA server as a SecurID source.
Would a re-balance matter if we only had 1 RSA server? (Not even a replica at the moment, but soon!)
I believe we are on 8.2 Patch 2, so I will look into getting on to P4.
re-balance shouldn't do anything on a single server, but it still does config checks and whatnot
This may be the result of bad auth attempts or bad packets on port 5500/udp (it happens, normal stuff) coming from the Cisco and we log a certain error code and it throws that specific error which is hard to interpret by itself.