View Identity Router Status in the Cloud Administration Console

You can view status and monitoring information for the identity routers in your deployment using the Cloud Administration Console. Use this information to help troubleshoot configuration and authentication issues.

When status changes occur, additional diagnostic information is provided in the System Event Monitor (Platform > System Event Monitor) and identity router audit logs. See System Event Monitor Messages for Cloud Access Service and Identity Router Audit Log Messages .

Procedure 

1. Sign into the Cloud Administration Console.

2. Click Platform > Identity Routers.

   The console displays the following basic status information for each identity router in your deployment:

   • Name

   • Description

   • Virtualization environment

   • Current status of the identity router

     The following table describes the identity router status indicators:

     Identity Router Status	Description
     Active	The identity router is connected to Cloud Access Service (CAS) and operating normally.
     Inactive	The identity router is not connected to CAS.
     Debug	The identity router is connected to CAS and debug-level logging is enabled.
     Distressed	There is a problem with the identity router. Contact RSA Customer Support for troubleshooting assistance.
     Starting	When a registered identity router is connected to the Cloud Administration Console, the status reads Starting until the identity router is Active. Note:  If the status does not change to Active after 10 minutes, see Troubleshooting Identity Router Issues.
     Update Available	The identity router is not using the latest software version. See Update Identity Router Software to install the latest software.
     Update Unavailable	Identity router not running on SLES 12. The identity router should be replaced or redeployed. See the Identity Router 12.12.x Migration Guide.
     Blocked	The identity router is blocked due to the evaluation of network zone activities assigned to its cluster. Update the zone’s configuration to unblock its associated identity router(s), and then publish your changes. After publishing changes to CAS, you can view the publishing status of its associated identity router(s). If any identity router displays a failure status or if the publish attempt was unsuccessful, click Publish Changes to republish the configuration and resolve the issue. For more information, see Clusters to edit its network zone.

 

Note:  A yellow warning icon may appear if the identity router cannot connect to the Software Update Service, Adapter Update Service, or the Cloud Authentication Service Connections. Check the connectivity status of these services using the region-specific domain names by clicking the drop-down arrow next to them.
To connect the identity router to any of these services using domain names, you need to include the region-based domain names in the allow-list of your firewall rules. For more information, see Deployment Planning Checklist.

The status indicators for the Software Update Service and Adapter Update Service verify connectivity using company-specific URLs. If the status is unhealthy, review your firewall rules and ensure the company-specific URL is included in the allow-list. For more details, see the IDR advisory.


3. To display advanced status information for a specific identity router, click the arrow next to the identity router name.

   • Name of the cluster to which the identity router belongs

   • Date and time of the last status check between CAS and the identity router

   • Date and time of the last authentication service check
     

   • Hostname of the identity router

   • Eth0 IP address

     Identity Router Platform	Eth0 Address
     VMware/Hyper-V	Management interface IP address
     Amazon Web Services	IP address of the only network interface
     AM	AM IP address

   • Eth1 IP address
     

     This is the portal interface IP address for VMware/Hyper-V identity routers. This information is not available for Amazon Web Services identity routers or the identity routers embedded in AM.

   • Identity router software version number

   • Date and status of the last identity router software update

   • Date and status of the last identity router adapter update

   • Operating system

   • Status of RADIUS and IDR SSO Agent services on the identity router

     Service Status	Description
     RUNNING	The service is enabled and operating normally.
     STOPPED	The service is enabled but is not working. To troubleshoot, run a simple test to confirm that the service is stopped, view the identity router system log for errors, or restart the identity router to try to restart the service.
     DISABLED	The service is not enabled.

     The last reported status is displayed for the following items. Status indicators are green for healthy, yellow for partially healthy, or red for unhealthy. Yellow status for DNS and and AD/LDAP connections indicates that some configured servers are healthy while others are not. Click the arrow next to a status indicator to view IP addresses or domain names for configured servers.

   • Primary Region and Alternate Region to which the identity router connects.

   • AD/LDAP. If no identity sources are configured, click the icon, then click Not Configured to open a new tab and configure an identity source. Every two minutes, the identity router checks connectivity to the identity source servers by connecting to each server and attempting to look up a random user.

   • DNS. Updated every minute. Displays a configuration icon if DNS is not configured.

     Platform	DNS Configuration
     VMware, Hyper-V, Amazon Web Services	Identity Router Setup Console
     Authentication Manager	AM Operations Console. Click Administration > Network > Appliance Network Settings.

   • NTP. Updated every minute. Displays a configuration icon if NTP is not configured.

     Platform	NTP Configuration
     VMware, Hyper-V, Amazon Web Services	Identity Router Setup Console
     Authentication Manager	NTP is not displayed because the identity router uses the NTP server that is configured for AM.

   • Authentication Manager. Updated every three minutes.

     • Authentication: If you want users with SecurID OTP Credentials that were assigned in AM to access resources protected by CAS, click the icon, then click Not Configured to open a new tab and configure an Authentication Manager connection. For information, see Enable SecurID Token Users to Access Resources Protected by the Cloud Access Service and Connect Your Cloud Access Service Deployment to Authentication Manager.

     • Notification: Sends notifications from the CAS IDR to Authentication Manager when users update their passwords for the Authentication Manager internal database identity sources. Sends licensing information from Authentication Manager to CAS. A connection between Authentication Manager and CAS must be established. For more information, see Connect Authentication Manager to the Cloud Access Service. To enable this notification channel (supported for Authentication Manager 8.7 SP2 and higher):

     1. An identity router must be able to resolve the Authentication Manager hostname. If the hostname is not resolvable, the Authentication Manager IP hostname can be added under static DNS entries in the identity router settings.

     2. In Authentication Manager, the REST API must be enabled.

   • Software Update Service. Displays the connectivity status of an identity router to the software update service and shows the statuses based on the region-based domain names and company-specific URL, which can be viewed by clicking the drop-down arrow. Updated every 5 minutes. Required for the identity router to perform software updates.

   • Adapter Update Service. Displays the connectivity status of an identity router to the adapter update service and shows the statuses based on the region-based domain names and company-specific URL, which can be viewed by clicking the drop-down arrow. Updated every 5 minutes. Required for the identity router to perform updates.

   • Heartbeat Service. Sends identity router information to CAS periodically. If the identity router stops responding, check the date and time of the last heartbeat to help determine when the connection was lost.

   • Cloud Time Synchronization. Indicates whether identity router time is within 60 seconds of the time reported by CAS as required for successful authentication.

   • Cluster. Updated every 60 seconds. For information on cluster quorums, see Clusters.

     Status	Description
     Green	Healthy. Cluster is in quorum. More than 50% of identity routers can communicate with each other. Users can authenticate through the cluster.
     Red	Unhealthy. All configured identity routers are offline.
     Yellow	Partially healthy. Cluster is not in quorum and is in read-only mode, but at least one configured identity router is online.

     Cluster status is not provided for identity routers that are embedded in AM.

   • Memory Usage.

     Status	Description
     Green	Healthy. More than 25% of free memory is available.
     Red	Unhealthy. Less than 25% of free memory is available.

     For the identity router that is embedded in AM, the maximum and free memory is displayed for the identity router. The maximum host memory is the total memory of the AM host.

   • CPU Usage.

     Status	Description
     Green	Healthy. Average CPU idle percent is above 20% since the last run of this indicator, which runs every minute.
     Red	Unhealthy. Average CPU idle percent is less than 20% since the last run of this indicator, which runs every minute.

     For the identity router that is embedded in AM, the CPU Usage data applies to the AM host, instead of the identity router itself.

   • Cloud Authentication Service Connections. Tracks the status of current (primary) and region based authentication domain and the overall connection status:

     • Current is the CAS IP address currently being used.
       Region based domain name status section displays the connection status of the primary and alternate regions using the domain names.
       

     Status	Description
     Green	Green indicates that the Cloud Authentication Service domain is reachable (healthy). If the Current CAS is listed and is healthy, the overall Cloud Authentication Service Connections status is reported as healthy. If only Region based domain name status is listed in dropdown, and both region domain are healthy, the overall Cloud Authentication Service Connections status is reported as healthy.
     Red	Red indicates that the Cloud Authentication Service domain is unreachable (unhealthy). If the Current Cloud Authentication Service is listed and is unhealthy, the overall Cloud Authentication Service Connections status is reported as unhealthy. If only Region based domain name status is listed in drop-down, and any of the region domain connection status is unhealthy, the overall Cloud Authentication Service Connections status is reported as unhealthy.

Note:  The status is updated using dynamic interval. Interval between status update may take upto 4 hours. So if there is any configuration or environment update made that would impact IDR connection status to Cloud Authentication Service, it may take up to 4 hours to reflect here. If an earlier confirmation is necessary, you should either reboot IDR, restart IDR services or use another mechanism to test connection status.