Using Logs

For basic troubleshooting, enable the severe log level for Identity Server and Access Gateway ESP and the crit log level for Access Gateway.

Access Gateway:

  1. Click Devices > Access Gateways > Edit > Advanced Options.

  2. Add the following:

    LogLevel crit

Identity Server:

  1. Click Devices > Identity Servers > Edit > Auditing and Logging.

  2. Select File Logging and Echo to Console.

  3. Under Component File Logger Levels > Application, select severe.

If you want advanced troubleshooting, enable the debug level. See Using debug Logs.

Sample log messages when Session Assurance fails:

These log snippets provide the following information:

  • User DN

  • Correlation ID (session ID)

  • Currently fetched device information

  • Device Fingerprint (Device fingerprint stored in the session)

  • Result

  • Failure cause

  • Offending Mandatory Attribute (information about the parameter that did not match)

Identity Server

<amLogEntry> 2016-09-23T09:59:06Z SEVERE NIDS Application: 
*************Device Fingerprint Evaluation Trace*************
Evaluating device fingerprint for user: cn=admin,o=novell
Correlation ID: d2ee43e3fbb2ca0487c9088fbc14c64cae552ecf6233412aa73fe6758a329598
Currently fetched device info: {"headerSet":{"user-agent":"Microsoft Office Protocol Discovery"}}
Total number of known devices to compare against: 1
Overall Result: Mismatch

*************Summary of comparison against known device*************

  Evaluation Result: Mismatch
  Device Fingerprint: {"user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"}
  Failure Cause: At least one individual attribute failed match/is unavailable.
  Offending individual attribute: user-agent
***************End of comparison against known device***************

***************************Trace End*************************
 </amLogEntry>

<amLogEntry> 2016-09-23T09:59:06Z SEVERE NIDS Application: The session might have been hijacked. Logging out 
</amLogEntry>

Access Gateway

The following is a snippet of the log when the crit level is enabled. This log records the session assurance failure message:

Sep 28 20:27:07 namiso httpd[9797]: [crit] AM#104600404 AMDEVICEID#ag-8B62635F46CD2776: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: AMEVENTID#23: logging out user with DN=cn=admin,o=novell and session ID =965dce7b7f4963730fed0bebf93d4ef70e062fb90e590569729f2b9b9dfd because of session assurance mismatch