Has anyone seen an issue where an SA sources traffic to the RSA ACE auth server from its cluster VIP address and not the physical interface address? A customer has a problem where this is happening and they are getting "node verification failed" because of it.
The history is that the RSA authentication was working previously, with the traffic sourced from the physical interface addresses. However, they converted the internal interfaces to vlan-tagged, and set up a route to source the RSA server traffic from one of the VLAN interfaces. Now the traffic is coming from the cluster VIP on the right VLAN, but not from the real member VLAN interface addresses. Is this a known issue - I can't see it documented anywhere.
Check this KB links and see if iy helps
Thanks for the suggestions - we had already seen and tried both of these.
The problem I am describing is that we are unexpectedly seeing traffic sourced from the cluster VIP address on the VLAN and not from the VLAN interface on the active node. This is not what the RSA server is expecting, as sdconf.rec is defined with both the node's VLAN interface addresses.
Time sync is not an issue. Both the RSA server and the SA cluster are synced to the same NTP source.
Customer has deleted node secret on the RSA server several times, as well as deleting and re-creating the node definition. Each time we create and import a new sdconf.rec, but the result is always the same.
As for KB26789, I am not sure how old this is, but it is just not possible to install two sdconf.rec files to a clustered IVE. Maybe it once was, but it simply can't be done now. In any case, we are following the method described in the Solution section to the letter. (By the way, has anyone got any idea what the graphic in KB26789 is there for???).
We never get to see a node verification file, because the RSA server does not allow the SA to authenticate its first client.