RSA Authentication Manager Issue – Node secret mismatch
Follow these instructions if you get following error messages in your Authentication Monitor:
“Node secret mismatch: cleared on server but not on agent”
“Node secret mismatch: agent and server using different node secrets”
1. Open the Security Operations Console and check out the realtime authentication monitor. You gonna find it in the RSA Security Console in the menupoint Reporting.
Reporting –> Real-time activity monitors –> Authentication activity monitor
2. Clear the secret node on your RSA Server and your Cisco ASA. The secret node is stored in the ASA´s flash drive. It should have a name like 192-168-250-100.sdi
You can clear the ASA´s node secret in Access –> Authentication Agents –> Manage Existing. Click on the ASA to open up the dropdown menu, choose Manage Node Secret. Ccheck the box “Clear the node secret” und save your settings.
Within the first authentication the RSA server und the ASA will negotiate a new Node Secret. Make sure that the time is in sync on the RSA Server and the Client before establishing a connection.
3. Now it should be fine. Sometimes you have to repeat step 2. I had to delete the secret 4 times before the authentication worked correctly.
This article helped you? Nice! Please take 1 minute of your time and leave a comment, I would appreciate that. Thank you 🙂
8 Comments
Hi…i great article dude!! Really wish u write a lot more about RSA. And for a beginner like me, it so interesting
June 8, 2013
hello, you help me with my ASA5510 thanks.
I also use OWA and received this message “Node secret mismatch: cleared on server but not on agent”
On the ISA Server computer, open a registry editor, such as Regedit.exe or Regedt32.exe, and verify that there is no NodeSecret value under the HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT key in the registry. If the NodeSecret value is present, delete it.
then use the sdtest.exe tool to make a positive authentification
this action recreate the registry key delete a second ago.
then restart the ISA 2004 service.
Now OWA work again.
November 21, 2013
Hi Daniel,
Thanks for your contribution. You provided really valueable information there. I think that it might help others too 🙂
Which size is your company you are working for?
I am using the same setup (Exchange 2007 with OWA behind ISA 2003 and Cisco ASA) as you for a 50+ people company.
Best regards,
Joey
November 22, 2013
I works after Clear the node secret but only first time then second log on same error
Any help?
March 20, 2014
Hey,
Just want to say thank you for providing insight on this. It was enough to help me clear up an issue after moving ASAs 5510 to 15x with the same addresses.
Do you think deleting the sdi on the ASA’s flash would also have the same effect as clearing node secret on the RSA server?
April 17, 2014
Thanks for your contribution. You provided really valueable information there. It helped me really 🙂
May 5, 2014
Thank you so much for this guide! Ran into this same error after upgrading my ASA. RSA support kept me on the phone for almost 2 hours only for me to google the error and found this. Sometimes I don’t understand why companies pay so much for support. Again, thank you for this simple and straight-forward guide.
PS: This worked on Security Console 8.1 SP1 P5 and Cisco ASA Firewall 9.1(6)
December 10, 2015
Appreciate you sharing, great blog post.Thanks Again. Really Cool. acbgeekaefdf
February 28, 2017