Difference between revisions of "Error Messages"

From Swivel Knowledgebase
Jump to: navigation, search
(port kb2 transport error by MTura)
Line 64: Line 64:
  
  
'''Login failed for user: test, error: The user does not have a PIN set.'''
+
'''Login failed for user: test, error: The user does not have a PIN set.''' After a migration may mean the Timezone was not maintained.
  
 
If this is also seen with the following:
 
If this is also seen with the following:

Revision as of 16:43, 12 July 2017

Introduction

Swivel writes information and error messages to its logs files or to a Syslog, which can viewed within the Swivel Admin Console under Log Viewer. Additionally, the Swivel logs are stored under /home/swivel/.swivel/logs.

This page provides more information about these messages, likely root causes and fixes.

General Errors

Pinsafe is currently not able to run correctly. Please check your server.

This can be see when trying to login to the Swivel administration console. Check the system logs for errors and see Swivel does not start


Corrupt Log File Stack Trace on Log Viewer screen

This is caused by invalid characters in the log file. If you set the log file size to be very small (eg 10k) and then create a few log entries by requesting TURing images, the log file will roll over to a new file and the log viewer page should again render properly. Do not forget to reset the log file size back to a sensible value. To identify the root cause retrieve the log files directly from the server.


<username>: Failed to start a single channel session: AGENT_ERROR_USER_LOCKED.

When a user requests a TURing image or a SMS security string in on-demand mode, this starts a Swivel authentication session. This error indicates that this session start has failed because the user-account is locked. The account should be unlocked by going to the admin console, finding the users account and selecting the unlock option;.


Session start failed for user: graham, error: Single channel image request by username is disabled.

There are two ways that a TURing image can be requested. Firstly an agent starts a session, reads the Session ID and then requests the image by sending the session ID to Swivel. The second way is where those two steps are combined into a single step, an agent just passes Swivel the username, the session is started and the TURing image returned in one step. To support this second model Swivel must be configured to Allow Session Start by Username or Allow Image Request by Username.


Session start failed for user: x, error: No Data for user was found. or error: No data for the user was found The requested user does not exist in the database. If the user does exist in the repository (eg Active Directory) then Swivel needs to sync with that repository.


<username>: Failed to start a single channel session: AGENT_ERROR_USER_NOT_IN_GROUP. <Agent Name>: Error occurred during login for user: xxxxx, error: User does not belong in the correct group within the user repository to continue the authentication attempt

Swivel can be configured so that only members of certain groups can authenticate via certain agents. This error indicates that a user is trying to authenticate against an Agent that they are not authorised to do. In 3.x versions of Swivel it maybe necessary to synchronise with the repository for any changes in these policies to be affected. Also seen in relation to ChangePIN where a user is trying to use the incorrect transport to change their PIN number.


Pinsafe license contains an error.

The license is invalid or has not been correctly entered.


ERROR - The number of users in the Pinsafe users group has exceeded the license

exceeded licensed users

The number of licensed users has been exceeded. Note that this message will be displayed even if a new larger license is installed until Tomcat is restarted. A large license may need to be purchased, or users marked a Deleted User may need to be purged, see Delete a Swivel user.


ChangePIN failed for user: xxxx, Error: The PIN is not complex enough.

The PIN entered is too simple and breaks the Swivel rules defined in the Administration Console, The default for repeated digits is 0 and allows for no repeated digits.


CHANGE_PIN_PIN_ERROR:

The original OTC is incorrect. A correct OTC must be entered before a new OTC is entered. If using the single Channel TURing image, ensure session request by username is enabled under Server/Single Channel.


Change PIN failed for user: username, error: CHANGE_PIN_PASSWORD_ERROR

On the Swivel administration console check to see if the setting under Policy/PIN and OTC that the require password for PIN change is set to Yes or No.


Login failed for user: test, error: The user does not have a PIN set. After a migration may mean the Timezone was not maintained.

If this is also seen with the following:

Exception occurred checking agent: SQL Exception: Invalid transaction state..

The following also may be seen when a users PIN is reset:

Exception occurred checking agent: SQL Exception: A lock could not be obtained within the time requested.

A lock file may exist on the database that was not cleared properly. To resolve this issue;

Stop Tomcat

go to <path to Tomcat>\webapps\pinsafe\WEB-INF\db\swivel

Example on an appliance: \usr\local\apache-tomcat\webapps\pinsafe\WEB-INF\db\pinsafe

Check for and delete any .lck files.

Start Tomcat


LOG_PINSAFE_CREDENTIALS_EXCEPTION, java.lang.NumberFormatException: For input string: ""

The PIN number for a user cannot be obtained. This can be caused by the following:

Swivel being unable to decrypt the PIN such as when timezone has changed

Auto set credentials has been turned off and the user has been created without a PIN.

A PINless user is changed to a PIN user and no PIN has been allocated.


Loading transport class "com.swiveltechnologies.Swivel.server.transport.SmtpTransport" failed, error: java.lang.reflect.InvocationTargetException. java.lang.reflect.InvocationTargetException

This error has been seen where incompatible java class versions are being used. Verify any java classes that have been imported to the Swivel server.


Repository "Active Directory", cannot be added to the database: possibly already exists.

This error can occur if the repository name already exists or the Database is still set to shipping mode. The repository "local" can be used but will also generate this error but can be ignored.


bash: keytool: command not found

This error is seen when keytool cannot be found in the users path. This will be part of the Java path, and will depend upon the Java Version, Example: /usr/java/jre1.6.0_18/bin/keytool


losing too many ticks! Possible reasons for this are: You're running with speedstep You don't have DMA enabled for your hard disk Incorrect TSC synchronisation on an SMP system Falling back to a sane timesource now

Set the Swivel appliance to use a time server using the Network Time Protocol (NTP), see NTP servers


ERROR - Synchronising user list to peer "Primary" failed, error: Unexpected end of file from server.

This error is seen from a Peer Synchronisation. The peering feature has been deprecated and should be disabled.


PINsafePrimary Migrating resource away from <server name>

This message is seen in Swivel A/A pairs where the Virtual IP is failing over to the alternate node in the Heartbeat cluster. This can happen if you stop Tomcat on swivel or if they lose connectivity to one another.


Servlet.service() for servlet SyncOathToken threw exception

Incorrect seed entered for token


filter en_GB

java.util.MissingResourceException: Can't find bundle for base name filter, locale en_GB

This error has been seen in Catalina.out on a version of the 2.0.16 appliance patch. Edit the file /etc/profile.d/swivel.sh and change

export SWIVEL_HOME=/usr/local/tomcat/webapps/pinsafe/WEB-INF

to

export SWIVEL_HOME=/home/swivel/.swivel

Logout the CMI then log back in again for it to take effect.


inode too big

If there are issues with an appliance booting make a note of any inode numbers given as errors and these can be used to find problems if any partitions can be mounted. To search using an inode use:

find / -inum <inode_number>

Example:

find / -inum 722421

See also Appliance fails to boot after power outage


[CDATA[SYNC_ERROR, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure, Time out now 60]]

This can be resolved by editing the file /usr/local/tomcat/conf/server.xml and changing both instances of 'sslProtocols=' or 'sslProtocol=' to be 'sslEnabledProtocols=', i.e. adding Enabled.


Loading the XML repository file "/home/swivel/.swivel/data/repository.xml" failed, error: org.apache.xmlbeans.XmlException: /home/swivel/.swivel/data/repository.xml:675:4: error: Entity is not well-formed (ending lex state: 9).

Loading the XML repository file "/home/swivel/.swivel/data/repository.xml" failed, error: org.apache.xmlbeans.XmlException: /home/swivel/.swivel/data/repository.xml:5010:34: error: Unexpected end of file after email.

Loading the XML repository file "/home/swivel/.swivel/data/repository.xml" failed, error: org.apache.xmlbeans.XmlException: /home/swivel/.swivel/data/repository.xml:1:1: error: Unexpected end of file after null.

Loading the XML repository file "/home/swivel/.swivel/data/repository.xml" failed, error: org.apache.xmlbeans.XmlException: /home/swivel/.swivel/data/repository.xml:7661:6: error: Unexpected end of file.

These errors can be seen when searching XML repositories in some versions of Swivel. It is resolved by upgrading to 3.10.4


Authentication Errors

Login failed for user: test

The user failed to login. For User login problems see User login fails


An error occurred, please check your credentials. If the error persists contact your Pinsafe Administrator.

Seen on a user login. See the following: User login fails


The user does not have any security strings suitable for authentication

For a user to authenticate they need to have been presented with a security string either as a TURing image or as a Security String message (e.g. SMS). This error indicates that a user has tried to authenticate despite the fact that they do not have a valid security string. This maybe because they have used the wrong name to request the security string or the security string they had been sent has expired


admin:Exception occurred checking agent: SQL Exception: Invalid transaction state.

admin:Credentials invalid for user "graham"

graham:Failed to login user graham, error: The user does not have a PIN set.

The credentials invalid message can mean that the incorrect OTC has been entered. With the SQL Invalid transaction state message and invalid credentials may occur if the on Swivel versions earlier than 3.9 where the timezone has been altered. If the timezone has changed then the message that the user does not have a PIN set may also be displayed. Set timezone back to its original settings and restart the database i.e. for internal restart Swivel or MySQL for appliances.


RADIUS Authentication Errors

<username> Failed to login. RADIUS: <86> Access-Request(1) LEN=57 <IP address>:12004 Access-Request by <username> Failed: AccessRejectException:

This error is usually followed by a AGENT_ERROR, and these are described separately below. The following applies where there is no AGENT_ERROR

If RADIUS based authentication attempt and RADIUS logging is enabled possible options are that this indicates the user has failed to authenticate successfully. If no other errors are logged in relation to the authentication attempt then the cause is that the user entered the wrong credentials. Also try resetting the Swivel password under User Administration to a blank value to clear out any password that may have been set.

This can be caused when an SMS message is to be entered but a Single Channel Image is started, if so then it is expecting a single channel OTC login, until the image times out (default 120 seconds).

The wrong security string index was used (use OTC-String Index, Example 9381-01).

A previously used OTC was attempted to be used again.

Ensure Check password with repository is set to No if it is not required.

Swivel 3.8 userPrincipleName (UPN) fails, but using the sAMAccountName (SAM) account name authentication succeeds. This is caused by a bug and is resolved in Swivel 3.9


RADIUS: <72> Access-Request(1) LEN=130 192.168.1.1:9328 Access-Request by domain\user Failed: AccessRejectException: AGENT_ERROR_NO_USER_DATA

The user does not exist in the system. Where the domain name is required to differentiate users of the same name, set the Swivel repository username attribute to be userPrincipalName, and instead login with username@domain. You are unable to pass DOMAIN\username in a RADIUS request.


RADIUS: <0> Access-Request(1) LEN=60 192.168.1.1:1685 Access-Request by username Failed: AccessRejectException: AGENT_ERROR_BAD_OTC
xxx.xxx.x.xx:<name>Login failed for user: <user>, error: The one-time code was missing or malformed.

This indicates that Swivel has been unable to extract the one-time code from the RADIUS request. This is usually because the shared-secret set on Swivel does not match the shared secret set up on the NAS (VPN). Check/reset both shared secrets, check a password has not been accidentally set for the user. See also AGENT ERROR BAD OTC and Reset a Users Password


RADIUS: <0> Access-Request(1) LEN=192.168.0.1:1001 Access Request by username Failed: AccessRejectException: AGENT_ERROR_NO_SECURITY_STRINGS, or AGENT ERROR NO SECURITY STRINGS

and

Login failed for user:username, error: The user does not have any security strings suitable for the authentication.

See AGENT_ERROR_NO_SECURITY_STRINGS


RADIUS error: The user does not have a PIN set and Access-Request by username Failed: AccessRejectException: AGENT_ERROR_NO_PIN

This may be seen when the Swivel system cannot read the users PIN number such as after a time zone change.


RADIUS: <9> Access-Request(1) LEN=56 10.0.1.1:32773 Access-Request by test Failed: AccessRejectException: Two Stage Password Fail

Two stage authentication is being used and a password is expected to be entered.


RADIUS: <0> Access-Request(1) LEN=45 x.x.x.x:7423 Packet DROPPED: Source IP address [x.x.x.x] does not have a NAS entry

Log Error: The agent is not authorised to access the server, IP: xx.xx.xx.xxx

An agent/NAS has made a request to Swivel but that agent/NAS is not authorised to do so. The agent/NAS needs to be configured with a specified IP address and shared secret. If not matching entry is found for the agent/RADIUS request is refused and this error is logged.


RADIUS: <87> Access-Accept(2) LEN=57 <IP address>:12004 Access-Request WARN : x.x.x.x device 2:Exception occurred during login for user: username, exception: java.lang.StringIndexOutOfBoundsException: String index out of range: 4

Indicates that the user had entered a one-time code that is greater than the PIN length.


INFO RADIUS: <0> Access-Request(1) LEN=78 192.168.1.1:4175 PACKET DROPPED - MESSAGE AUTHENTICATOR IS INCORRECT

This indicates that the shared secret on the access device and the Swivel NAS setting do not match


INFO RADIUS: <0> Access-Request(1) LEN=78 192.168.1.1:4175 PACKET DROPPED - Duplicate packet from NAS

This can be caused by the following:

  • If the Swivel server sends the reply but it is not received by the access device, the access device may try to resend the RADIUS request. This can be caused by the Access device sending a RADIUS request from an external interface, but not accepting the response through that external interface.
  • When an authentication fails the RADIUS client may retry sending additional authentication requests. Resolve the initial issue causing the failure.
  • Some access devices may make additional RADIUS requests for group membership checks.
  • If a Swivel Virtual IP (VIP) address is used the RADIUS request may be made against the Swivel VIP, but the RADIUS response may be sent from the real IP address of the Swivel server, and be blocked by the access device due to IP spoofing rules. Duplicate packets may be then seen, as the access device has not seen a response from the Swivel server, so repeats the authentication. This can be resolved by using the real IP address of the Swivel server for the RADIUS request rather than the VIP, but may impact the solution in place.


RADIUS: <0> Access-Request(1) LEN=60 192.168.9.250:1496 PACKET DROPPED - Badly formed Attribute Block, Attribute at position 2 of type User-Password (2) has no data value (forbidden).- 12 octets not processed after error.

The request to the Swivel RADIUS server is in an incorrect format, attributes are missing. To rectify, set the permit empty attributes to Yes in the RADIUS server settings.


RADIUS: <10> Access-Challenge(11) LEN=56 10.0.1.1:32772 Access-Request by test resulted in Access-Challenge

Two Stage authentication is enabled and the Swivel server has responded requesting a One Time Code to be entered.


RADIUS: <0> Access-Reject(1) LEN=70 x.x.x.x:1097? Access-Request by admin Failed: AccssReject Exception: AGENT_ERROR_AUTH_METHOD_UNSUPPORTED

or

RADIUS method not supported

An authentication method is being used which is different to that permitted for the Access device. i.e. single channel authentication is being used where only dual channel authentication is permitted or dual channel authentication is being used where only single channel authentication is permitted. Check the NAS entry on the Swivel server for the correct value.


INFO RADIUS: <5> Access-Request(1) LEN=65 192.168.1.1:25292 Access-Request by graham Failed: AccessRejectException: AGENT_ERROR_THIRDPARTY

INFO 192.168.1.1 VPN:Login failed for user: graham, error: Third party authentication failed.

A Third party authentication such as PositiveID, has failed for the Swivel user.


RADIUS: <0> Access-Request(1) LEN=64 x.x.x.x:1265 Access-Request by username Failed: AccessRejectException: Two Stage Password Fail

x.x.x.x Identifier:Failed to get LDAP context for username@domain

The check password with repository is failing for the first stage of two stage authentication. This could be due to an incorrect password being entered or not recognised. On the Swivel Administration console when using AD try setting the AD server settings username to the UPN name. If the AD domain is incorrect then authentication will fail. Below version 3.9.1 the domain is taken from the AD configuration, if a different domain is required, use a service account with the same domain.


RADIUS server failed to start, error: com.theorem.radserver3.RADIUSServerException: RADIUS authentication server receiver thread failed to start: Failed to create RADIUS server socket on port 1812: java.net.BindException: Cannot assign requested address.

RADIUS server failed to start, error: com.theorem.radserver3.RADIUSServerException: RADIUS authentication server receiver thread failed to start: Failed to create RADIUS server socket on port 1812: java.net.BindException: Address already in use.

RADIUS: Failed to create RADIUS server socket on port 1812: java.net.BindException: Address already in use

The RADIUS server cannot start as the port is already in use.

  • Verify that there are no other applications or other versions of Swivel running RADIUS
  • Check that the IP address entered on the Swivel RADIUS server is that of the Swivel server, or blank to receive RADIUS requests on any of its interfaces.
  • The Swivel server may not have had time to shutdown before restarting, try a restart of Tomcat. This may be seen after a Swivel upgrade.
  • Do NOT use the VIP address as the RADIUS server address, see VIP on PINsafe Appliances.

Access-Request by qwerty Failed: AccessRejectException: AGENT_ERROR_METHOD_UNSUPPORTED

Login failed for user: qwerty, error: The chosen RADIUS authentication method is not supported RADIUS_EAP_OTHER,0

An EAP RADIUS request has been received but the Swivel RADIUS client has not been configured to use EAP.


RADIUS: <15> Access-Request(1) LEN=161 192.168.1.1:57393 Access-Request by qwerty RESPONSE PACKET NOT SENT - FAILED VALIDATION AccessDropException: EAP Packet reply to EAP-Identity response packet has no State attribute or has timed out.

192.168.1.1 client:RADIUS_ACCESS_DROP_EXCEPTION, AccessDropException: EAP Packet reply to EAP-Identity response packet has no State attribute or has timed out.

RADIUS client is using EAP MSCHAPv2 which is currently not supported


RADIUS: Exception in thread: DATAGRAM LEN = 74 FROM 192.168.0.1:15981 org.apache.xmlbeans.impl.values.XmlValueDisconnectedException at org.apache.xmlbeans.impl.values.XmlObjectBase.check_orphaned(XmlObjectBase.java:1212) at com.swiveltechnologies.xmlconfig.impl.LookupImpl.isSetValue(Unknown Source) at com.swiveltechnologies.pinsafe.server.config.ConfigurationListImpl.getLookup(ConfigurationListImpl.java:470) at com.swiveltechnologies.pinsafe.server.radius.RadiusManager.getAgentGroup(RadiusManager.java:284) at com.swiveltechnologies.pinsafe.server.radius.RadiusAccess.authenticate(RadiusAccess.java:305) at com.theorem.radserver3.RADIUSSession.o(Unknown Source) at com.theorem.radserver3.RADIUSSession.e(Unknown Source) at com.theorem.radserver3.RADIUSSession.run(Unknown Source) at java.lang.Thread.run(Unknown Source)

This error has been seen in Swivel version 3.9.2 and is related to a bug relating to user attributes. For an immediate fix restart the Swivel server, for a long term fix upgrade to Swivel version 3.9.3.


RADIUS: Exception in thread: DATAGRAM LEN = 155 FROM 192.168.1.2:53987 java.lang.NumberFormatException: For input string: "D5368" at java.lang.NumberFormatException.forInputString(Unknown Source) at java.lang.Integer.parseInt(Unknown Source) at java.lang.Integer.parseInt(Unknown Source) at com.swiveltechnologies.pinsafe.server.utility.Utility.extractIndex(Utility.java:265) at com.swiveltechnologies.pinsafe.server.user.LocalAuth.getChannelAndSecurityString(LocalAuth.java:527) at com.swiveltechnologies.pinsafe.server.user.LocalAuth.login(LocalAuth.java:729) at com.swiveltechnologies.pinsafe.server.radius.RadiusAccess.authenticatePAP(RadiusAccess.java:1107) at com.swiveltechnologies.pinsafe.server.radius.RadiusAccess.authenticate(RadiusAccess.java:499) at com.theorem.radserver3.RADIUSSession.o(Unknown Source) at com.theorem.radserver3.RADIUSSession.e(Unknown Source) at com.theorem.radserver3.RADIUSSession.run(Unknown Source) at java.lang.Thread.run(Unknown Source)

This is caused by a - or ' in a Check Password with repository for a RADIUS authentication and Swivel interpreting the String Index. Seen in version 3.9.6. Workaround 1. Do not use ' or - in the password. Workaround 2. If the access device supports checking AD password then configure it so that Swivel is only checking the Swivel OTC.


Agent Authentication Errors

AgentXML request failed, error: The agent is not authorised to access the server.

An Agent-XML request is being made against the Swivel server but is not permitted to do so. If access should be allowed create an entry on the Swivel Administration Console under Server/Agents. If an entry exists verify the shared secret is the same on Swivel and the access device. If hostname is used ensure case is correct and if that fails try with the IP address.


AgentXML request failed, error: The XML request sent from the agent was malformed.

The Agent XML request contains an error check the format. Spaces may also cause errors.


Invalid agent definition, name: MBCPHSG2, hostname/IP: XXXYYY

The hostname provided does not resolve into a valid IP address.


Failed to get LDAP context for user

This error can be seen when making an authentication and the option to check password with repository is set to true and the user enters a password. This response is on AD as well as LDAP.

It could also be because the LDAP repository is expecting credentials in the form username@domain. You can fix this by using credentials in this form for the repository admin credentials (in the repository definition). If there is an '@' in the username for the repository definition, Swivel tries to use the same domain when checking users passwords.


User "graham" has been locked, reason: The user was required to change their PIN before this authentication.

The user account has been locked. This will occur if the user is required to change their PIN such as after an admin reset or after first login. When they try and login again, this error message will be displayed. Unlock the user account, ensure user knows they must change their PIN.


Access-Request by graham Failed: AccessRejectException: AGENT_ERROR_PIN_NOT_CHANGED

The users PIN was not changed. This could be caused by the account being locked, such as through a previous failed changePIN attempt.


FLUSHING_IMAGE_CACHE, ClientAbortException: java.net.SocketException: Connection reset

This error message can be seen in the Swivel log when a Windows login is attempting to use an animated gif. Turn off animated gifs and switch to 'Static', on Swivel - This is set under Server > Single Channel > Image Rendering.


AGENT_ERROR_NO_AUTH

No suitable authentication method has been found for the user.

Synchronisation and LDAP (Active Directory) Errors

Introduction When Swivel integrates with external systems such as Active Directory, it detects errors raised by those third-party systems. A full list of possible errors is outside the scope of this page, however the more common errors are described below. Other sites, e.g. http://ldapwiki.willeke.com/Wiki.jsp?page=LDAPResultCodes will provide LDAP error-code listings.


Abandoned User Sync for repository <repository name>

If a synchronisation encounters an error then the sync job will stop. Check the settings are correct, particularly LDAP group names, and check the logs for further associated errors. Has the AD infrastructure had any changes such as the renaming or move of an OU or CN?


User sync request ignored: job already running for repository <repository name>

A sync job is already running, and an attempt has been made to start a new one. If the sync job has just been started, ensure that their is sufficient time to complete it. If the sync job has already been running for a long time, it may be that the the job has hung, and may require a restart of Tomcat.


SEVERE Exception occurred: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

This is usually caused by when incorrect authentication is made against an AD domain. Check the username and password being used for the LDAP synchronisation, check the password has not been changed and the account is still active. Is the username/password correct? Try using different account details such as:

  • userPrincipalName (username@domain) for the service account to login to AD
  • domain\username
  • CN=user,DC=domain,DC=local

Test the user account with an LDAP browser, and see if the LDAP can be browsed. We recommend the use of third-party software from Softerra called LDAP Browser. This is available as freeware and as a commercial paid-for product. Available here: http://www.ldapbrowser.com/

Other possible errors for AcceptSecurityContext: AcceptSecurityContect error, data xxx, vece are as follows:

  • 525 user not found
  • 52e invalid credentials
  • 530 not permitted to logon at this time
  • 531 not permitted to logon at this workstation
  • 532 password expired
  • 533 account disabled
  • 701 account expired
  • 773 user must reset password
  • 775 user account locked


ERROR Exception occurred: during repository attribute query, object:<name>, attribute: sAMAccountName, exception:java.naming.InvalidNameException There is a syntax error in the ldap query being attempted, most likely cause is an error in the repository group definitions, check these definitions, possibly cross-reference with an LDAP browser.


Exception occured during repository group member query, group: CN=Swivel2factor,CN=Users,DC=Swivel,DC=swivel,DC=secure, exception javax.naming.CommunicationException: 192.168.0.1:389 [Root exception is java.net.NoRouteToHostException: No route to host]

The error No Route to Host indicates a networking issue. Check to see if the Swivel server can Ping or Telnet on port 389 (or required port) to the AD or LDAP server.


Exception occured during repository group member query, group: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, vece], exception CN=SwivelUsers,CN=Users,DC=swivelsecure,DC=com

SSL is enabled on the AD server, configure the Swivel server to use LDAP over SSL is required.


The object "CN=swivel-users,OU=Groups,OU=Swivel,DC=swivel,DC=local" on repository "AD" is not a valid group.

This could be caused by:

  • The swivel-users is actually a Container, rather than a group.
  • swivel-users is not defined as a group, according to the LDAP standard. Swivel only looks for objects with objectClass=group.
  • If it is a global group, it is possible that the account used to connect to AD does not have permission to read the group properties.
  • Swivel cannot read primary groups.


No value for username attribute <attributeName> The user CN=x-x-x-x,CN=y,DC=z,DC=company,DC=com has no value for username attribute <AttributeName>. User not added
ERROR - Exception occured during repository attribute query, object: CN=something,OU=oux,offices,OU=Com,DC=bob,DC=corp, attribute: sAMAccountName, exception:javax.naming.NameNotFoundException: [LDAP: error code 32 -0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)

The user within the repository has no value set for the attribute that is configured to be used as the Swivel username; therefore an account cannot be created for that user. For example if Swivel was configured to use the Active Directory attribute for email address for the Swivel account name and this value was not set in AD for a given user.

This may happen when a user has been added to a trusted domain where Swivel is looking for users within that group, only the fact that the user is a member of the group is available, and not the attributes of that user. Create a Swivel AD repository to read the trusted AD domain or use an AD Global catalogue server.


ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=Swivelusers,OU=Swivel,DC=xxx,DC=swivelsecure,DC=com, exception ADserver1.xxx.swivelsecure.com:389

or

ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=Swivelusers,OU=Swivel,DC=xxx,DC=swivelsecure,DC=com, exception javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: OU=Swivelsecure,DC=Swivelsecure,DC=com]; remaining name CN=Users,OU=Swivelsecure,DC=Swivelsecure,DC=com

This can be caused by a user who is a member of the group Swivelusers but is part of another domain. Swivel will not be able to read the attributes for that user. Swivel would need to connect to that AD domain or read a Global Catalogue Server. It can also be caused by an incorrectly specified LDAP path, verify that the LDAP path is correct.


Exception occurred: during repository group member query, group: javax.naming.CommunicationException: xxx.xxx.xxx.xxx:389 [Root exception is java.net.NoRouteToHostException: No route to host],exception %2

or

Exception occured during repository group member query, group: CN=SwivelUsers,OU=Groups,DC=swivelsecure,DC=com, exception javax.naming.CommunicationException: ad.swivelsecure.com:389 [Root exception is java.net.UnknownHostException: ad.swivelsecure.com]

The Swivel server cannot resolve the host name of the LDAP/Active Directory server or cannot route to it. Check the DNS settings for the Swivel server and the hostname defined in the repository configuration.


Exception occured during repository group member query, group: CN=SwivelUsers,OU=Groups,DC=swivelsecure,DC=com, exception 192.168.0.1:389; socket closed

A connection is being made but the socket is closed. This could be caused by an existing AD/LDAP query in place. Check that the AD/LDAP synchronisations are set to occur at differing times and that they are not run too often. Typically synchronisation is set to occur every 60 or 120 minutes.


ERROR Exception occurred during internal database access, exception: SQL Exception: The statement was aborted because it would have caused a duplicate key value in a unique or primary key constraint or unique index identified by 'SQL070416065001590' defined on 'PINsafeJ'

This error occurs if Swivel attempts to create a new user with a non-unique username. This can occur if two different repositories contain users with the same username. For example if you create a user called admin in the xml repository and a user exists within AD that is also called admin, the attempt to create the second account called admin will fail and this error will be reported. Care must be taken when working with Active-Active pairs, as the database is shared but the xml repositories are not. Therefore if you create an account in each xml repository called admin, Swivel will try and create two Swivel accounts called admin and this error will result.


Exception occurred during database access, exception: com.microsoft.sqlserver.jdbc.SQLServerException: Violation of UNIQUE KEY constraint 'UQ__PINsafeJ__6477ECF3'. Cannot insert duplicate key in object 'dbo.PINsafeJ'.

A user already exists with the same username. Up to and including Swivel 3.8 it may indicate that the user may have been created in a different case which Swivel has not differentiated as a new user.


Invalid Credentials

The Swivel server has been unable to decrypt the credentials for as user. This is seen on Swivel versions earlier than 3.9, if the timezone has been changed and the database restarted. Set the Time Zone back to the previous value and reboot. When an authentication is made the following error may be seen in RADIUS error: The user does not have a PIN set and Access-Request by username Failed: AccessRejectException: AGENT_ERROR_NO_PIN


the user <username> has been moved

This indicates that the FQDN path of a user has been changed. Swivel is able to recognise that it is the same user thus preventing the user being deleted and created as a new user.


Browser limit exceeded

The LDAP folder contains more entries than the LDAP browser can read. Swivel 3.6 and 3.7 has a limit of 1500 entries. To view more items than the Swivel LDAP browser allows then try using a 3rd party LDAP browser product.


ERROR - Exception occurred during repository group member query, group: CN=SwivelUsers,CN=Users,DC=swivelsecure,DC=com, exception 192.168.0.100:389; socket closed

Synchronisation with the data source has been stopped after the port was closed, this could be caused if the system is shutdown or rebooted. Check to see if this is a one off instance or occurs multiple times.


javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'CN=Swivel Swivel'

This is caused when Swivel cannot find the specified group. Check the group pathname.


ConnectException: Connection timed out

Swivel cannot connect to the LDAP or AD data source, check network connectivity


Exception occurred checking agent: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Data too long for column 'B' at row 1

The repository name specified was too long. Repository names can only be up to 32 characters in length.


ERROR The user "admin" cannot be created as an existing user with the same name already exists

An admin user in an A/A appliance is being synced with a database that already has an admin user. Remove the new instance of the admin user, usually from thin the XML repository.


admin:The user "xxxxx" cannot be created as an existing user with the same name already exists.

admin:Exception occurred checking agent: com.mysql.jdbc.exceptions.MySQLIntegrityConstraintViolationException: Cannot add or update a child row: a foreign key constraint fails (`pinsafe_rep/PINSAFEJ`, CONSTRAINT `PINSAFEJ_ibfk_1` FOREIGN KEY (`I`) REFERENCES `PINSAFEL` (`A`) ON DELETE CASCADE).

This has been seen on importing internal data from the db folder from version 3.6 to 3.9.5, and them migrating to a MySQL database, and is followed by a user sync. Setting the option under Repository, to allow the user to change repository and then restarting Tomcat resolved the issue, although the logs indicated that the users had been deleted, this was not the case.

The user "mtura",OU=PINsafeUsers,OU=Pinsafe,DC=SwivelSecure,DC=com" cannot be found.

The user does not exist within the repository or cannot be found. Ensure that the user exists within AD/LDAP and is synchronised with Swivel.

Transport Related Errors

The user does not have an associated alert transport

Swivel is unable to send alert information (Such as new PIN numbers, account lockout information), to the user as they do not have a transport method for sending them. See User_does_not_have_an_associated_alert_transport


No Transport Attribute found for User
No Alert Transport Attribute found for User

This message occurs if the Swivel server has attempted to send a security string or an alert message to the user, but does not have the required information, i.e. where to send the message, to do so. Check that the (Alert) Transport attribute has been set correctly and that this attribute has been set for the user. For example for integrating with AD, check that the attribute has been set to telephoneNumber or Mobile as required


Dual channel message request failed, error: On-demand dual channel delivery is disabled.

A dual channel message request was made but the On-demand delivery is not enabled. If it should be enabled, on the Swivel Administration console select Server/Dual Channel, then set On-demand delivery to Yes.


LOG_MESSAGE_REQUEST_DISALLOWED

A Dual Channel security String request has been made by a user who is does not have dual channel permissions.


LOG_MESSAGE_REQUEST_FAILED_FOR_UNKNOWN_USER

A Dual Channel security string request has been made for a user that is not in the Swivel database.


LOG_ERROR_WRITING_TO_TRANSPORT_QUEUE

Incorrect transport specified for user. Verify their group memberships and that the correct Transport Attribute is used.


Message has been retried too many times, being removed from message queue, user: <username>, destination: 441234567890.
The message has been attempted to be resent more than the specified number of retry attempts. Check the logs for messages to indicate why the sending of the message failed.


Message send failed for user <username>

Message send failed for user <username>, destination: 441234567890. Message will be retried later. The message has failed to be resent and will be retried. Check the logs for other transport-specific messages that indicate why transmission failed, eg network connectivity issue of lack of credit on SMS provider account.


Transport Queue has become locked:<Transport Name>

This indicates that the transport queue has taken too long in an attempt to send a message. This can occasionally occur in normal operation if, for example, an intermittent network issue has affected communication with an SMS provider. If you see this message you should monitor the logs to ensure that subsequent messages sends are successful. If it appears that messages are no longer being sent then tomcat may need to be restarted. Increasing the Message send Timeout in the Transport/General may help.


Membership of multiple alert transport groups is not permitted for user:

This occurs when users are member of more than one group that is assigned to a string transport entry or alert transport entry. The cause for this can be when users are added either purposely or accidentally to additional groups on the Active Directory or whichever repository type you are syncing with and a subsequent User Sync takes place in Swivel.

To resolve this issue, on the Swivel administration console select the User Administration screen. Find a user that is suffering from this problem. Change the View drop down on the User Administration screen to be 'Groups'. Make a note of the groups that the user is assigned to (represented by a tick/check mark). Then visit the Transport -> General screen. You now need to look for Transports you have defined, where these groups have a 'Alert repository group' drop down containing either of the groups you noted in the previous step. It is not possible to have a user assigned to more than one transport sting or transport alert. So you will need to remove the users from the offending group which has led to this situation.


Membership of multiple transport groups is not permitted:

A user can only have one transport method for sending security strings, a second transport method may be used for sending alerts. Swivel groups can be structured to ensure membership of only one transport group.


User "admin" is a member of multiple transport groups

Warning that a user is a member of more than one transport group. Ensure that users have only one group that is assigned a transport.


WARN SMS_Transport message sending failed, error: java.net.UnknownHostException:

The host to which the message is being sent to cannot be found. Check DNS and network.


SMTP Transport failed to send Credentials to "xxx@xxx.xx", exception: com.sun.mail.smtp.SMTPSendFailedException: 501 #5.1.3 Partial domain not allowed: 'localhost'

The SMTP From address has a localhost entry, this should be substituted for a valid email address.


com.sun.mail.smtp.SMTPSendFailedException: 553 5.5.4 <Swivel>... Domain name required for sender address Swivel

The domain name has not been specified for the sender. This may need to be set under the SMTP transport or under Logging/SMTP.


SMTP Transport failed to send Security Strings to "user@domainname", exception: javax.mail.MessagingException: Exception reading response; nested exception is: java.net.SocketException: Connection reset

This error can be caused by a standard SMTP connection to a port that is only configured to receive SSL connections.


ERROR Could not connect to SMTP host: smtp.company.com, port: 25; nested exception is: java.net.ConnectException: connection to smtp.company.com timed out

The Swivel server is unable to connect to the mail gateway, check that a network path exists to the mail server.


SMTP Transport failed to send Credentials to "a.user@company.net", exception: com.sun.mail.smtp.SMTPSendFailedException: 452 4.3.1 Insufficient system resources"

This is a Microsoft Exchange standard message. This can occur when the sender criteria is restricted on the Exchange server that you have configured under Server -> SMTP. Depending on the restrictions imposed, a potential way to alleviate this is to permit the sending of emails by the From address of the Swivel instance, on the Exchange server.


SMTP Transport failed to send a PIN Expiry Alert to "a.user@company.net", exception: javax.mail.MessagingException: Could not connect to SMTP host: mail.swivelsecure.local, port: 25, response: 421

This 421 response is typically seen when using SMTP with an Microsoft Exchange server later than 2003. The email will reach the recipient but the default timeout of 10 seconds on the Server -> SMTP screen of the Swivel admin console needs to be increased to 30 seconds to avoid these messages. Duplicate emails are also a symptom of this issue.


SMTP Transport failed to send Credentials to "username@domain", exception: javax.mail.MessagingException: Unknown SMTP host: smtp.gmail.com; nested exception is: java.net.UnknownHostException: smtp.gmail.com

Verify that the mail gateway can be connected to from the Swivel server by a ping and then a telnet. Try entering also the IP address in the Swivel configuration instead of the hostname. Is a proxy server in place between the Swivel server and gateway.


TRANSPORT_LOADED: SMTP EXCEPTION IN TRANSPORT:id SMTPnull

A bug in Swivel 3.8 prevents the delivery of security strings by SMTP (email), it does not affect SMTP to SMS or other transport classes, it also does not affect alerts. Upgrade to a more recent version."


iTagg message sending failed, error: error code|error text|submission reference 102|submission failed due to insufficient credit|0

The SMS gateway has run out of credit to send SMS messages.


Clickatell message sending failed, error: org.marre.sms.SmsException: org.marre.sms.transport.clickatell.ClickatellException: Clickatell error. Error 001, Authentication failed

Wrong username, password or API ID for Clickatell SMS account


java.net.ConnectException: connection timed out: connect

Connection to Clickatell SMS Gateway failed with the connection timing out. Verify that the Swivel server connection to the SMS gateway is not being clocked by a firewall or proxy server.


AQL_TRANSPORT_ERROR0 Destination number(s) error +441234 567890

SMS message has failed to be sent due to space in telephone number


SMTP Transport failed to send Credentials to "user@domain.com", exception: com.sun.mail.SMTPSendFailedException: 504 Need Fully Qualified Address

The from address in the email transport needs to be a full valid email address.


LOG_HTTP_TRANSPORT_ERROR, Unable to tunnel through proxy. Proxy returns "HTTP/1.1 502 Proxy Error ( The ISA Server denies the specified Uniform Resource Locator (URL). )"

The SMS gateway may use HTTP or HTTPS to send security strings and requires an outbound connection from the Swivel server. The proxy information for the transport has not been configured correctly. Check the port, username and password. If all the details are correct, and exception may need to be entered on the Proxy server to allow access from the Swivel server to the SMS gateway.


SMTP Transport failed to send Credentials to "username@domain.com", exception: com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.0 Must issue a STARTTLS command first.

TLS or STARTTLS is currently not supported for the email server configuration


SMTP Transport failed to send Security Strings to "user@emailaddress.com", exception: javax.mail.AuthenticationFailedException

Incorrect Username or Password, check the settings on the Swivel Administration console under Server/SMTP


TRANSPORT_LOADED: YPF_SMTP WEXCEPTION IN TRANSPORT:id YPF_SMTPnull

A bug in Swivel 3.8 prevents the delivery of security strings by SMTP (email), it does not affect SMTP to SMS or other transport classes, it also does not affect alerts. Upgrade to a more recent version.


AQL_TRANSPORT_ERROR0 Insufficient credit or invalid number of msg/destination

Either the account does not have enough credit to send an SMS and new credits must be purchased or the phone number is incorrect and the message cannot be sent.


Failure Please check your settings or try again later. Message: Provision Failure

The following log message may be seen in the Swivel Administration Console:

User "mtura" provision failed, A valid session could not be loaded or created for the user.

This can be caused by an incorrect Mobile Provision Code, or the time allowed for provisioning a device has been exceeded. In addition, make sure that under Policy > Self-Reset, that "Allow user self-provision of mobile client" is set to 'Yes'.


SwivletException : SE007: java.io. IO exception:-5120

This error message has been seen with an incorrectly configured DNS entry in the Java Mobile Phone client


AgentXML request failed, error: No suitable authentication method for the user "qwerty" was found. The user may be missing from the user repository or a synchronisation has not yet occurred.

An authentication was attempted for a user who is not present on the Swivel user database.


AgentXML request failed, error: No suitable authentication method for the user "" was found. The user may be missing from the user repository or a synchronisation has not yet occurred.

An authentication was attempted without a username.


Mobile request from unknown user; the user needs to reprovision

A Mobile Provision Code was entered for a user who is not present on the Swivel user database.


Port currently owned by Unknown Windows Application
This error is specific to use of a GSM Modem. It implies that another application is using the serial port designated for use for the GSM Modem. Close any applications that maybe using the port, e.g. WinTerm may have been used for testing, and re-allocate the port on the Swivel GSM Modem config screen.


LOG_HTTP_TRANSPORT_ERROR, 503 Service Unavailable, Message added to message queue for user: xxxxxx, destination nnnnnnnnnn, Message send failed for user xxxx, destination nnnnnnnnnn message will be retried later, VODAFONE ERROR: 13 An internal error occurred.

GSM using Vodafone, error due to mobile network issue


LOG_GSM_FAIL, org.marre.sms.SmsException: Send failed: Unexpected response Last Response:

Message send failed for user: XYZ123, destination: <<MOBILENUMBER>>. Message will be retried later.

Message has been retried too many times, being removed from message queue, user: XYZ123, destination: <<MOBILENUMBER>>.

This is the sequence of events associated with a failure to send a SMS message. The Unexpected response message indicates a failure to communicate with the GSM modem. A common cause of this is incorrect Flow Control settings, try software Flow Control.


Loading transport class "com.swiveltechnologies.Swivel.server.transport.TransportName" failed, error: java.lang.ClassNotFoundException: com.swiveltechnologies.Swivel.server.transport.TransportName

The java class cannot be found. Possible causes of this error are:

Misspelling of the class name on the transport->general screen

Class file not being in the correct location on the appliance

Class file not having the correct ownership or file permissions

Tomcat has not been restarted


SMTP Transport failed to send Credentials to "user@domain.com", exception: javax.mail.MessagingException: Exception reading response; nested exception is: java.net.SocketTimeoutException: Read timed out

The Swivel server has timed out in the connection to the SMTP gateway. If this occurs all the time then check the ports and network connectivity. If it occurs intermittently, try increasing the SMTP timeout value on the Swivel administration console, under Server -> SMTP->Timeout (secs):


LOG_ERROR_PLACING_MESSAGE_ON_PRIMARY_TRANSPORT_QUEUE, Retry Count: 0, Username: mtura, Destination: test@swivel.co.uk SiteId: xxxx, Username: xxxx, Provision Code: xxxx, javax.jms.IllegalStateException: The Session is closed

ActiveMQ is the cause of this error, which in essence is the messaging queue. The resolution would be to remove the active-mq folder under /home/swivel/.swivel and then recreate the folder and set the owner and group to 'swivel' and permissions back to 0775. As a final step, you must restart Tomcat.


Database Errors

Exception occurred during database access, exception: com.mysql.jdbc.exceptions.MySQLIntegrityConstraintViolationException: Duplicate entry 'username' for key 2

Failed to create Pinsafe data for user: username. User already exists?

Exception occurred during database access, exception: com.mysql.jdbc.exceptions.MySQLIntegrityConstraintViolationException: Duplicate entry 'username' for key 3

The username already exists in the Swivel database and a new account cannot be created with the same username. Either ensure usernames are unique or use FQDN.


Exception occurred during database access, exception: com.swiveltechnologies.Swivel.server.user.database.DatabaseException: java.lang.ClassNotFoundException: com.microsoft.sqlserver.jdbc.SQLServerDriver

The java database driver cannot be found. Ensure that it has been uploaded to the correct location and has the correct file ownership and permissions.


Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.lang.ClassNotFoundException: oracle.jdbc.OracleDriver

The Oracle database driver has not been found, ensure that it has been downloaded from the Oracle website, and uploaded to the Swivel instance and that it is in the correct location and correct permissions.


Exception occurred checking agent: java.sql.SQLException: ORA-01400: cannot insert NULL into ("USPinsafe"."PinsafeM"."B")

This has been seen when using Oracle 10g as a database, and is because Oracle does not differntiate between a NULL (i.e. missing) string value and a string of length zero. The following command allows null string values to be used: ALTER TABLE PinsafeM MODIFY B VARCHAR(15) NULL;


JRUN:Exception occurred checking agent: SQL Exception: An SQL data change is not permitted for a read-only connection, user or database.

This has been seen on the internal Swivel Database where the permissions have been incorrectly set. see Permissions and Ownership


ERROR 1218 (08S01) at line 1: Error connecting to master: Lost connection to MySQL: Lost connection to MySQL server during query

This can be seen on running the database sync commands. Verify that a network connection exists and that the IP addresses are connect. Verify that the /etc/my.cnf file has the IP address of the Primary Master.


[ERROR] Slave I/O thread: error connecting to master 'replication@192.168.0.36:3306': Error: 'Can't connect to MySQL server on '192.168.0.36' (4)' errno: 2003 retry-time: 60 retries: 86400 101020 14:36:27 InnoDB: Started; log sequence number 0 2972511 101020

[Note] Recovering after a crash using /var/lib/mysql/bin 101020 14:36:27 [Note] Starting crash recovery...

[Note] Crash recovery finished.

These errors can be seen on a slave with the incorrect Primary Master IP address in the /etc/my.cnf. This should be configured through the CMI


Pinsafe data migration failed! com.swiveltechnologies.Swivel.server.user.database.DatabaseException: com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Incorrect database name 'pinsafe_rep '

Wrong database name has been specified. In this case the database should have been pinsafe


Exception occurred during database access, exception: SQL Exception: A lock could not be obtained within the time requested

The database could not be accessed. This can occur on Swivel versions earlier than 3.9 if the timezone is changed. Set Timezone back to its original setting and restart the database i.e. for internal restart Swivel or MySQL for appliances.


can't serialize access for this transaction

This is an error seen with Oracle databases and means that the data has changed since the transaction started. This has been seen where two Swivel appliances are synchronising data at the same time. Ensure that either only one Swivel server is synchronising data, or that they do so at different times.


Exception occurred checking agent: com.microsoft.sqlserver.jdbc.SQLServerException: Transaction (Process ID 70) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

Connection to the Swivel Database (here a MS SQL Db), has been lost and the process thread has been locked.


Pinsafe data error please restart the pinsafe server "Pinsafe_Server". If the issue continues please contact support.

A process has become locked, and requires Swivel to restart


Exception occurred during database access, exception: com.swiveltechnologies.Swivel.user.database.DatabaseException: com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host has failed. java.net.ConnectException: Connection refused: connect

The connection to the Database has been refused


Exception occurred during database access, exception: com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host has failed. java.net.BindException: Address already in use: connect

Connection to the database has failed due to a current connection with the database


admin:Exception occurred during database access, exception: com.swiveltechnologies.Swivel.server.user.database.DatabaseException: java.lang.ClassNotFoundException: com.microsoft.sqlserver:jdbc.SQLServerDriver

ERROR 127.0.0.1 admin:Failed trying to load JDBC driver class

The Java class path for the driver is incorrect and cannot be loaded (in this instance a : has been used instead of a .)


Exception occurred during database access, exception: com.swiveltechnologies.Swivel.user.database.DatabaseException: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TYPE = INNODB DEFAULT CHARSET = utf8 COLLATE = utf8_bin' at line 1

There is an issue with Swivel and MySQl 5.5, contact Swivel Support for a fix.


admin:Exception occurred during database access, exception: com.swiveltechnologies.Swivel.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: The Network Adapter could not establish the connection

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Error: The Network Adapter could not establish the connection

The connection to the firewall cannot be established. Check firewall rules are not blocking the connection.


ERROR x.x.x. admin:Exception occurred during database access, exception: com.swiveltechnologies.Swivel.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: Invalid connection string format, a valid format is: "//host[:port][/service_name]"

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Error: Invalid connection string format, a valid format is: "//host[:port][/service_name]"

The database connection URL is incorrect, check the settings.


ERROR x.x.x.x admin:Exception occurred during database access, exception: com.swiveltechnologies.Swivel.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: Unknown host specified

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Error: Unknown host specified

Incorrect hostname specified for Db server


ERROR x.x.x.x admin:Exception occurred during database access, exception: com.swiveltechnologies.Swivel.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: Invalid number format for port number

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Fehler: Invalid number format for port number

The port number is not specified correctly, check for non numeric characters and that it has been specified.


ERROR x.x.x.x admin:Exception occurred during database access, exception: com.swiveltechnologies.Swivel.server.user.database.DatabaseException: java.lang.ClassNotFoundException: oracle.jdbc.driver.oracledriver

ERROR x.x.x.x admin:Failed trying to load JDBC driver class

The driver has failed to load, in this instance oracle.jdbc.driver.oracledriver has been specified instead of oracle.jdbc.driver.OracleDriver


java.sql.SQLException: Invalid value for getInt() – ‘SingleChannel’ in column2

This can be seen in Swivel 3.6.3369 and is due to groups not being selectable in the Administration Console User Administration. To resolve this issue upgrade to a later version of Swivel.


Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: Error opening the internal database

The permissions and/or ownership are not correctly set on the repository, see Permissions and Ownership


rm: cannot remove '/var/lock/subsys/mysqld': Read-only file system

This occurs when the partition has been mounted as read only. This has been seen on an appliance when the SCSI controller had a problem.


:Exception occurred checking agent: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Data too long for column 'B' at row 1.

This is caused by the NAS entry being too long for the audit table. It will not affect authentications, but does display an error message in the logs. This affects Swivel instances up to version 3.9.5.


Failed to create version table

ERROR X0Y32: Table/View 'VERSION' already exists in Schema 'APP'.

Failed to create devices table

ERROR X0Y32: Table/View 'DEVICES' already exists in Schema 'APP'.

Failed to create registration keys table

ERROR X0Y32: Table/View 'REGISTRATIONKEYS' already exists in Schema 'APP'.

Failed to create sub-devices table

ERROR X0Y32: Table/View 'SUBDEVICES' already exists in Schema 'APP'.

Failed to create attributes table

ERROR X0Y32: Table/View 'ATTRIBUTES' already exists in Schema 'APP'.

Failed to create users table

ERROR X0Y32: Table/View 'USERS' already exists in Schema 'APP'.

These errors may be seen on a Swivel upgrade. They are for information only.


Apache Tomcat Errors

ERROR - Saving the XML config file "/usr/local/tomcat/webapps/pinsafe/WEB-INF/conf/config.xml" failed, error: java.io.IOException: No space left on device.

java.io.IOException: No space left on device at java.io.FileOutputStream.writeBytes(Native Method)

The device has run out of disk space. Free up disk space to allow Tomcat to start.


SEVERE: Servlet /pinsafe threw load() exception java.lang.OutOfMemoryError: Java heap space

This error can be seen when there is insufficient memory to run Swivel, particularly where there are several Swivel instances running on the Swivel server. To increase the memory available on a Microsoft Windows system,double click on the Apache Tomcat Taskbar Monitor to bring up the properties and select the Java Tab. Set the Initial Memory Pool and Maximum memory pool to suitable sizes.


SEVERE: Error starting endpoint java.io.FileNotFoundException: /home/swivel/.keystore (Permission denied)

SEVERE: Catalina.start: LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.FileNotFoundException: /home/swivel/.keystore (Permission denied)

This can occur if the wrong permissions are set on the .keystore file, and it may stop Tomcat from starting. Ensure the correct permissions are set on the file.


description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Error instantiating servlet class com.swiveltechnologies.Swivel.ui.AdminLogin org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) java.lang.Thread.run(Unknown Source)

root cause

java.lang.ExceptionInInitializerError sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) java.lang.reflect.Constructor.newInstance(Unknown Source) java.lang.Class.newInstance0(Unknown Source) java.lang.Class.newInstance(Unknown Source) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) java.lang.Thread.run(Unknown Source)

This has been seen when the config.xml file has become corrupted and half the file is not present.

To look for errors open the config.xml file with Internet Explorer and look for any errors.


HTTP Status 500 -

--------------------------------------------------------------------------------

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

java.lang.NullPointerException com.swiveltechnologies.Swivel.server.session.SessionQueue.createFakeSession(SessionQueue.java:39) com.swiveltechnologies.Swivel.server.user.LocalAuth.sessionStart(LocalAuth.java:860) com.swiveltechnologies.Swivel.server.ui.AdminLogin.doPost(AdminLogin.java:192) javax.servlet.http.HttpServlet.service(HttpServlet.java:641) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) com.swiveltechnologies.Swivel.server.filter.AdminConsoleFilter.doFilter(AdminConsoleFilter.java:135)

This has been seen to be caused by an incorrect setting in the config.xml file


ERROR: XML validation of "/usr/local/tomcat/webapps/pinsafe/WEB-INF/conf/config.xml" failed, error: Element has xsi:nil attribute but is not nillable in element map@http://swiveltechnologies.com/xmlconfig, line: <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://swiveltechnologies.co m/xmlconfig"/>.

ERROR: XML validation of "/usr/local/tomcat/webapps/pinsafe/WEB-INF/conf/config.xml.old" failed, error: Element has xsi:nil attribute but is not nillable in element map@http://swiveltechnologies.com/xmlconfig, line: <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://swiveltechnologies.com/xmlconfig"/>.

The above error can be seen in the catalia.out log file. This can prevent Apache Tomcatfrom starting up. It is caused by additional Transport Attributes being created without group entries. To resolve the issue, stop Tomcat, backup the config.xml file, locate the entry which contains the line <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/> and remove the required Transport Attribute from <element> to <\element>

Example:

<element>
         <string name="name">
           <value>Mobile</value>
         </string>
         <map name="attribute" server="LDAP server">
           <value>Mobile</value>
         </map>
         <map name="attribute" server="local_primary">
           <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
         </map>
       </element>

See Also: Transport Attribute nil attribute but is not nillable


org.apache.catalina.loader.WebappClassLoader validateJarFile INFO: validateJarFile(C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\pinsafe\WEB-INF\lib\javax.servlet-5.1.12.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class

This can be seen in Swivel 3.8.4256 but should not cause any issues and should not be the cause of Tomcat failing to start.


org.apache.catalina.startup.Catalina load WARNING: Can't load server.xml from /usr/local/apache-tomcat-5.5.20/conf/server.xml

This has been seen after an appliance reset to factory defaults where the file permissions on the appliance were incorrect. Check the ownership of the file /usr/local/apache-tomcat-5.5.20/conf/server.xml


SEVERE: Invalid URI encoding; using HTTP default

This error has been seen after installing a new certificate on the Swivel appliance and appears to cause Tomcat to intermittently stop. Edit the file /usr/local/tomcat/conf/server.xml and replace all instances of

 Connector URIEncoding="ISO-8850-1" 

with

 Connector URIEncoding="UTF-8"


19-Dec-2014 13:01:34 org.apache.catalina.startup.Catalina load

WARNING: Catalina.start using conf/server.xml:

org.xml.sax.SAXParseException: Element type "Connector" must be followed by either attribute specifications, ">" or "/>".

This error has been seen in the /var/log/catalina.out file when Tomcat refuses to start. It is caused by errors in the conf/server.xml. In this instance it was two erroneous cipher blocks:

 128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Removing the lines, allowed Tomcat to start.


Appliance Errors

EXT3-fs warning: maximal mount reached, running e2fsck is recommended

This can be displayed on the appliance Command Line and indicates that a period of time has elapsed since a file check was carried out on the system Such checks are not mandatory, and are carried out at boot time of required.