SPS Host - Registration failed ('bad ipAddress[:port] or unable to connect to Authentication Server

book

Article ID: 74957

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

CA SSO components are distributed across an enterprise. Installing and configuring them may involve passing communication through different subnets and intermediate devices.

This use case involves building a new CA Secure Proxy Server (SPS) or a.k.a. Access Gateway (AG).

SPS is returning errors while running ca-sps-config.sh on the host registration step. 

Am able to register one set of servers with PS with no issues  However, the second SPS alone is showing registration failures.
 

Upon executing the registration command, why am I getting Return code 251 ?
Registration failed ('bad ipAddress[:port] or unable to connect to Authentication server xxx.xxx.xxx.xxx'). 
rc=$? 
+ rc=251 
Why is Telnet to PS on standard ports is fine?

Cause

There could be something in between the Access Gateway and Policy Server that is not allowing the connectivity.

Environment

CA Access gateway (a.k.a. SPS) 
 

Resolution

You can specify a non-default port numbers for the Policy server (PS).  However, if your PS is configured to use a non-default port and you omit it when you register a trusted host, the following error is displayed: 

Registration Failed (bad ipAddress[:port] or unable to connect to Authentication server (-1).

But, intermediate device such as a Firewall can also cause a similar connection issue. As in this use case, while the firewall was allowing telnet, it was blocking the registration request resulted in the same exact error message since the respective addresses / ports utilized by the PS were not open in the firewall policy.

 

You can use telnet command to check if the port is open.

In case if the telnet did connect to the Policy Server ports, there would be Handshake Error as no sharedsecret had been submitted.

If you do not see handshake error then the telnet did not connect to the Policy Server but it may be some other devices in between.

Additional Information

For further detail on SPS, please refer to the docops product documentation for the version of CA SSO and/or SPS you’re using.