Configuring Factor RADIUS_RSA (with Duo Server) and attempts to logon with MFA credentials are unsuccessful with the following timeout error in STDOUT:

  -- Error with authentication request--

  -- Receive timed out                       

TCPIP SYSTCPDA component trace including the option to see discarded packets is required to debug this issue. 

Release : 2.0

Component : Advanced Authentication Mainframe

The commands below are for a TCP/IP stack name of TCPIP and Radius Server at xx.xxx.xxx.xxx using port 1234 and with the assumption that an external writer has been defined to the system PROCLIB with a name of CTWTR.  

1. Enter the following commands to activate the trace:

TRACE CT,WTRSTART=CTWTR,WRAP 

TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP) 

R nn,WTR=CTWTR,END 

V TCPIP,TCPIP,PKTTRACE,ON,PROT=UDP,IPADDR=xx.xxx.xxx.xxx,PORTNUM=1234,DISCARD=* 

2. Once the trace is activated, recreate the problem. 

3. Enter the following commands to deactivate the trace:

V TCPIP,TCPIP,PKTTRACE,OFF  

TRACE CT,ON,COMP=SYSTCPDA,SUB=(TCPIP) 

R nn,WTR=DISCONNECT,END 

TRACE CT,WTRSTOP=CTWTR  

4. To view the results of the trace, go into IPCS option 0 (Specify Defaults) and enter

DSNAME('yourhlq.TRACE.DATA') as the source.  

Then go to IPCS option 6 (IPCS Subcommand Entry) and enter the following command

CTRACE COMP(SYSTCPDA) SUB((TCPIP)) LOCAL FULL

The following command can be used to validate successful activation and deactivation of the trace:

D TRACE,COMP=SYSTCPDA,SUB=(TCPIP)

The following sample JCL can be used to define an external writer for the component trace. It assumes the data set does not exist.  If the data set already exists then it should be deleted or the PROC should be updated to use a new data set name. 

//CTWTR    PROC

//IEFPROC  EXEC PGM=ITTTRCWR  

//TRCOUT01 DD DSNAME=yourhlq.TRACE.DATA,UNIT=SYSDA,

//            SPACE=(CYL,(500,0),,CONTIG),DISP=(NEW,CATLG),DSORG=PS