The Authentication Manager instance's real time authentication activity monitor reports Activity Key "Node secret verification" where the reason is "Node secret mismatch: cleared on agent but not on server" when an authentication is sent to the Authentication Manager replica instance from Cisco ASA. For example,
There is a known problem with regards to the node secret and the Cisco ASA when using native SecurID authentication to an RSA Authentication Manager deployment.
Follow the steps below to resolve the issue:
From the Authentication Manager interface
Clear the node secret from the agent host record of the Cisco ASA device in the Security Console (Access > Authentication Agents > Manage Existing).
Click the context arrow next to the Authentication Agent's name and select Manage Node Secret.
Check Clear the node secret and click Save.
From the Cisco ASA
Clear any node secret file (n-n-n-n.SDI, where n-n-n-n is the IP address of the server) from the Cisco ASA flash drive (i. e., memory cache). Refer to Cisco documentation on how to remove files from the flash drive.
Recreating the node secret and testing authentication
At this point, neither the Authentication Manager deployment nor the Cisco ASA have a node secret. The next successful authentication will reset the node secret on both devices.
From the Authentication Manager's primary instance, select Reporting > Real Time Activity Monitors > Authentication Activity Monitor.
On the pop up window, click Start Monitor.
From the Cisco ASA, perform at test authentication to the Authentication Manager's primary instance. This authentication will generate a new node secret to replace the one deleted above.
The Authentication Manager will store a copy of the node secret in the authentication agent's record in the Security Console and send another copy of the node secret to the Cisco ASA device to store.
The Cisco ASA stores the node secret based on the IP address of the Authentication Manager instance. For example, if the Authentication Manager primary has an IP address of 192.168.100.100, the node secret file on the Cisco ASA would be named 192-168-100-100.SDI.
Make a copy of the node secret SDI file on the Cisco ASA and name it with the IP address of the Authentication Manager replica instance.
Note that the octet's of the IP address are divided with dashes, not full stops.
If the Authentication Manager's replica IP address is 192.168.200.200, the filename in the Cisco ASA device for the replica node secret would be 192-168-200-200.SDI.
As the Authentication Manager primary instance replicates its records to the replica, the node secrets on the Cisco ASA now match the Authentication Manager deployment.
Now perform a test authentication to the replica to ensure it is working as expected before using in production. Keep an eye on the Authentication Activity Monitor to confirm authentications are working properly to the replica.