I have the following situation with one of my remote users: when the RSA Control Center is installed on the user's laptop it will download the offline tokens (30 days, per the AM policy) and then after that it will not refresh the offline tokens again.
Full sequence of events:
1) Install RSA Control Center
2) The Control Center downloads the offline tokens. I see the "offline authentication data download" event in the user's Authentication History in the AM and verify with the user that the Control Center says it has 30 days of offline data available.
---> At this point the user is able to log into her computer using MFA in both online and offline modes.
3) After 30 days the tokens run out and the user is not able to log on offline any longer. If I remotely uninstall the RSA Control Center and then reinstall it again, it will start the cycle over and download the offline tokens, but never refresh them.
The user in question works a regular 40 hour work week where she is connected to the corporate VPN for at least 8 hours a day. While connected the VPN the RSA Control Center on her computer has direct access to the AM; all of the her authentication activity, including offline authentications, are sync'd with the AM and displayed in the user's Authentication History on the AM without issue. Every other computer in the environment sync's their offline tokens at least once a day when connected to the network either by VPN or being in the office. I work work remotely as well and my laptop sync's its offline token every time is connects to the corporate VPN. So this situation is unique to this one user.
Additional info:
Operating system: Windows 7 x64 with latest Windows Updates and service packs.
RSA Control Center: I've used 7.4.0 and 7.4.2 with the exact same problem.
Firewall status: Disabled, but the fact that the Control Center is free to communicate with the AM means that nothing is getting in the way of the client and AM.
Primary and replica AM are on-premise and version 8.3 p02
Everything else about the user's laptop is a standard build, meaning she doesn't have anything special installed. In fact my own laptop is the same make/model and has the same build and it's able to remotely download the tokens without issue.
Any suggestions would be appreciated.
Assuming the basics on the AM server are correct and the user policy is allowed to pull offline day download with the token they have...
Run a working system and the non-working system,
set RSA control center, advanced, tracing, to enable all verbose tracing to logs.
Run a test scenario on the working machine, where it all works, run the same scenario on the non-working machine (replicate the problem).
Now looking at both piles of logs (the ones to focus most on are with DAservice* or *logon* in the name, and trace.log) try to compare and see where the logs do not look the same for [test action]. There is a lot of noise in these logs which looks anomalous but is part of normal processing, and in verbose mode there is a lot to ignore...the good machine logs vs the bad one will help sort that out. Notepad++ with the compare plugin is sometimes helpful when comparing log-to-log.
Also make note of the specific time and hopefully seconds that you do [each test action] as these logs are all timestamped and that will also help to focus on the relevant part of the logs and not need to plow through processes idling and maintenance routines in the background or the ancillary processing stuff...(background processing is also going to be in these logs).
Otherwise it's best to please open a support case and we can troubleshoot that way. If you do open a case, a set of logs from a test scenario, with notes about the times of your tests and what occurred will be helpful.
Only use the latest release 7.4.2.122 or up as there already has been a few improvements to offline day processing in that build vs prior versions.