RSA Product Set: ID Plus
RSA Product/Service Type: Identity Router

When an RSA Identity Router (IDR) is distressed, you will see the following in the Cloud Administration Console:

• The System Status - Identity Routers section of the Dashboard will show the number of Identity Routers that are distressed in red.
• The Platform > Identity Routers page will show the Identity Router as Distressed.

A networking problem

• The Cloud cannot connect to the Identity Router.
• The Identity Router cannot connect to the Cloud.

A service problem

• One or more services that should be running on the IDR, are not running.

A hypervisor problem

• Due to a problem with the IDR's hypervisor or VM, the IDR is is not running, or is not performing as required.

An expected outage

• A deliberate change has been done which has the known and expected side-effect of the IDR being temporarily in Distressed state.

To determine if the IDR is distressed due to a networking, service or hypervisor problem, or an expected outage, check the following.  Use the links provided to learn more about each item:

• Has a deliberate action has been taken that is expected to cause the IDR to be temporarily Distressed: 
  • A newly added IDR,
  • Publishing Changes to the Identity Router and Cloud Access Service,
  • IDR software update,
  • IDR reboot,
  • IDR restart or
  • IDR VM stop/start? 

• Is there a response if you Test the IDR?  If not, this is likely a networking or hypervisor problem.
  • Check  your hypervisor server (VMWare or Hyper-V).  Is the hypervisor itself or the IDR's VM, in a stopped or stopping state, or running out of resources (CPU, memory, etc) or in any other undesirable state?  If so, this is a hypervisor problem.  
  • If all looks well on the hypervisor, this is likely a networking problem.
• Is there a response when you Test the IDR, but not all services are in running state?   All services should be running, except possibly the two below:
  • ssoLifecycleService:  this service should be in paused state if SSO Agent is disabled on the cluster.
  • radiusService:  this service should be in paused state if RADIUS is disabled on the cluster.

Now, go to the appropriate section below for suggested troubleshooting tasks, based on your conclusions from the above questions.

Networking Problem

• Check if any recent network changes or Cloud Access Service configuration changes could have introduced a problem. Examine any such changes for errors. Is more than one IDR affected? Cloud and IDR connectivity requirements are documented in the following RSA Link locations:
  • The chapter entitled "Step 1. Plan" in each Quick Setup Guide available on the Cloud Access Service Planning and Configuration page.
  • Configure Company Information and Certificates
  • Security Levels and Identity Router Connection Ciphers (RSA Link login required) 
    • If your RSA ID Plus deployment includes a component that terminates the SSL connection between the identity router and the Cloud Access Service, you must ensure that this component is configured to use at least one cipher suite supported by the identity router when reestablishing the SSL connection.
  • Identity Router DNS Requirements
  • Identity Router Default Ports and Interfaces.
  • Identity Router Network Interfaces.
• Read Identity router status changed to distressed after reboot in RSA ID Plus
• Check the Cloud Access Service's Status page for notifications of maintenance or outage that may be impacting connectivity between the Cloud and IDRs.
• Are there currently any network outages in your organization's network, or that of your organization's ISP?
• Can you access the IDR's setup.jsp pages?  If so:
  • Generate and download an Identity Router log bundle from the IDR's setup.jsp pages.
    • Review the contents of identity router log bundle, and especially the symplified.log in the bundle, for connectivity error events.
  • Check the IDR's Network Diagnostics page for errors.
• If SSH is enabled for the IDR, can you access the IDR by SSH? 
• If the IDR is completely unreachable by setup.jsp and SSH:
  • Can you access the network settings page in the Identity Router VM console?  If so, check if the settings there are correct and if not, adjust accordingly.
  • If there is no means to access the IDR, or if adjusting network settings in the IDR VM console doesn't help, you can stop and restart the IDR's VM (from the hypervisor) to see if that fixes the problem.

Services Problem

Follow these steps to gather data and pass it to RSA Support:

1. Set the Identity Router Logging Level to Debug, then wait 5 minutes for internal IDR logging to capture activity.
2. If you need to resolve the issue as quickly as possible (rather than referring it to RSA Customer Support first), you can try one or more of the following to see if they fix the problem:
   • Restart services on the IDR
   • Reboot the IDR.
   • From the hypervisor, shutdown then restart the IDR's VM (recommended only as a last resort)

If further assistance is required, contact RSA Customer Support.