Check the IDR's Network Diagnostics to see if the IDR is able to communicate with the Access Console.   Refer to the article on how to view network diagnostics on an Identity Router for instructions.

• If the IDR can communicate with the Access Console, the network diagnostics will show:

Secure Connection (tun0)
IP: <ip-address> 
Mask: 255.255.255.255 
Gateway: <gateway-ip> 
Server: <server-ip-address>:<server-port>
Connection State: Connected
Status: Up

• If the IDR is still Inactive in the Access Console, the IDR and the console may just need more time to complete their initial setup sequence.
• If the IDR cannot communicate with the Access Console, the network diagnostics will indicate an issue.  For example:

​Secure Connection (tun0)
IP: null
Mask: null
Gateway: null
Server: <server-ip-address>:<server-port>
Connection State: Not connected. Cannot connect to the hosted service.
Status: Down

To troubleshoot configuration, systematically check each item as follows:

1. If you have not done so already, download and complete the current version of either the RSA SecurID Access SSO Agent Solution Architecture Workbook - US Region or the ​RSA SecurID Access SSO Agent Solution Architecture Workbook - EMEA Region for the region where RSA hosts the Cloud component of your deployment (currently either US or EMEA).  Workbooks are available from RSA SecurID Access Downloads page (maintenance contract required).  The region for your deployment can be determined from the URL you use to login to the Access Console:

• For the US: https://access.rsavia.com
• For EMEA: https://access-eu.rsavia.com 

• When completing the workbook, use the spreadsheet tab that best describes the architecture of your deployment (that is, one IDR, IDR with standby, HA, HA with Single Standby, etc.).  
• Enter your deployment-specific data only into the pale yellow cells.  
• The items that must be configured for RSA SecurID Access will be automatically generated in the bottom half of the spreadsheet page, under the heading Your Summary, based on the data you enter into the yellow cells.  It is therefore vital that you ensure the data you enter into the yellow cells is 100% correct.

2. Step through the tasks given in the Setup Checklist for the SSO Agent and Identity Assurance, starting at Task 1 and completing all tasks, up to and including, the task to "install and configure the identity router."  Compare what you have configured to the values specified under Your Summary in the RSA SecurID Access SSO Agent Solution Architecture Workbook that you completed.
3. After making any configuration adjustments that may be necessary, try once again to connect the Identity Router to the Administration Console.

If the above does not resolve the issue, some additional steps that can be taken.  These are:

• Check the IDR's Network Diagnostics again to see if there has been any change.  If the status is now Connected or Connecting you may just need to wait a while longer for the IDR to show as Active in the Access Console.
• Contact your network administrators and your ISP to discuss any issues that may be preventing connectivity.  Check gateway, firewall (that all ports listed in the Workbook under Your Summary are open), NAT, DNS (configured as specified in Workbook Your Summary), etc .
• Check the RSA SecurID Suite Service Notifications page to ensure you haven't missed any downtime notifications for the Cloud service that may be impacting your deployment. 
• Generate and Download an Identity Router Log Bundle, and inspect it for event messages that may indicate the cause of the problem.  Click Contents of Identity Router Log Bundle to view a description in the online help of the major files in the bundle.
• Contact RSA Customer Support for assistance if required. Support may ask you to grant RSA Customer Support access to Your account in the Access Console for an appropriate period of time, if it has not already been granted.