Think innovative

RSA Authentication Manager Issue – Node secret mismatch

By on Oct 15, 2012 in RSA | 8 comments

Follow these instructions if you get following error messages in your Authentication Monitor:

“Node secret mismatch: cleared on server but not on agent”

“Node secret mismatch: agent and server using different node secrets”

Screenshot from RSA Server: RSA Node secret mismatch

1. Open the Security Operations Console and check out the realtime authentication monitor. You gonna find it in the RSA Security Console in the menupoint Reporting.

Reporting –> Real-time activity monitors –> Authentication activity monitor

2. Clear the secret node on your RSA Server and your Cisco ASA. The secret node is stored in the ASA´s flash drive. It should have a name like 192-168-250-100.sdi

You can clear the ASA´s node secret in Access –> Authentication Agents –> Manage Existing. Click on the ASA to open up the dropdown menu, choose Manage Node Secret. Ccheck the box “Clear the node secret” und save your settings.

Within the first authentication the RSA server und the ASA will negotiate a new Node Secret. Make sure that the time is in sync on the RSA Server and the Client before establishing a connection.

3. Now it should be fine. Sometimes you have to repeat step 2. I had to delete the secret 4 times before the authentication worked correctly.

 

This article helped you? Nice! Please take 1 minute of your time and leave a comment, I would appreciate that. Thank you 🙂

    8 Comments

  1. Hi…i great article dude!! Really wish u write a lot more about RSA. And for a beginner like me, it so interesting

    indy

    June 8, 2013

  2. hello, you help me with my ASA5510 thanks.
    I also use OWA and received this message “Node secret mismatch: cleared on server but not on agent”

    On the ISA Server computer, open a registry editor, such as Regedit.exe or Regedt32.exe, and verify that there is no NodeSecret value under the HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT key in the registry. If the NodeSecret value is present, delete it.

    then use the sdtest.exe tool to make a positive authentification
    this action recreate the registry key delete a second ago.

    then restart the ISA 2004 service.
    Now OWA work again.

    Daniel

    November 21, 2013

    • Hi Daniel,

      Thanks for your contribution. You provided really valueable information there. I think that it might help others too 🙂

      Which size is your company you are working for?

      I am using the same setup (Exchange 2007 with OWA behind ISA 2003 and Cisco ASA) as you for a 50+ people company.

      Best regards,
      Joey

      Joey Kappe

      November 22, 2013

  3. I works after Clear the node secret but only first time then second log on same error
    Any help?

    mk

    March 20, 2014

  4. Hey,
    Just want to say thank you for providing insight on this. It was enough to help me clear up an issue after moving ASAs 5510 to 15x with the same addresses.
    Do you think deleting the sdi on the ASA’s flash would also have the same effect as clearing node secret on the RSA server?

    zac

    April 17, 2014

  5. Thanks for your contribution. You provided really valueable information there. It helped me really 🙂

    Rama

    May 5, 2014

  6. Thank you so much for this guide! Ran into this same error after upgrading my ASA. RSA support kept me on the phone for almost 2 hours only for me to google the error and found this. Sometimes I don’t understand why companies pay so much for support. Again, thank you for this simple and straight-forward guide.

    PS: This worked on Security Console 8.1 SP1 P5 and Cisco ASA Firewall 9.1(6)

    Pius

    December 10, 2015

  7. Appreciate you sharing, great blog post.Thanks Again. Really Cool. acbgeekaefdf

    Johna9

    February 28, 2017

Post a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.