I recently updated our SA4500 to version 7.4 R8 last week. After a few days a handful of people started having problems authenticating with our RSA radius server. We have two authentications Domain and RSA. For most people, there is no issue. The problem users will authenticate to the domain fine, but the RSA will fail the majority of the time. Every so often the login will eventually work. When we look in the logs all we see is that the authentication failed. If we look in the RSA server we never see an authentication attempt. If we purposefully enter an invalid pin or passcode, we do see that listed in the RSA log. I've tried different browsers versions (32bit v 64bit) and there doesn't appear to be fix. I've eliminated the RSA server as the issue as I can do an authentication to it directly with no issues. I'm kindof stuck trying to figure out where the problem is occuring. Hoping someone will have some other ideas to look into.
The best way to view the tcpdump is to download and install Wireshark on your PC. http://www.wireshark.org/ Save the tcpdump to your pc and open it with Wireshark. Filter on the ip address of your radius server or sort by protocol and look for radius entries.
Ran a TCP dump, and I really don't know what to look for. Just a few seconds generates several hundred lines of data. I tried to pull the text into a text file, but I can't seem to do a search on it. I was hoping to run a search on the IP address I was doing testing on. Any idea on what I should be looking for?
I see some TLSv1.2 entries being sent from the client to the vpn. Granted, I really don't know what is causing the login to fail as I at least see this traffic. What I don't see is any communication from the VPN to the RSA server. I should see the same traffic from VPN to the RSA correct?
You should see radius packets between the SA internal port and the radius server. If not, I am assuming communcation between the SA and radius server may be encrypted via SSL which is the reason why you do not see anything. Since this is the case, the only way to know if the SA is sending data is enabling debugging on the SA. Please open a jtac case and provide case number. I can try and assist through those channels.
Take a tcpdump when you are replicating the issue. If you do not see a packet leave the SA internal port, you can say it is an issue with the SA device. If this is the case, we would need to enable debugging on the SA device to clarify if there is an issue with the RSA implementation.