Error Message Reference ======================= Introduction ------------ Swivel Secure appliances and software write information and error messages to log files or to a Syslog. These can be viewed within the Swivel Admin Console under **Log Viewer**. The logs are typically stored in: `/home/swivel/.swivel/logs` This page provides information about these messages, their likely root causes, and how to fix them. General Errors -------------- Pinsafe is currently not able to run correctly. Please check your server. * **Context:** Seen when trying to log in to the Swivel administration console. * **Solution:** Check the system logs for more detailed errors. Corrupt Log File Stack Trace on Log Viewer screen * **Cause:** This is caused by invalid characters in the log file. * **Solution:** To identify the root cause, retrieve the log files directly from the server for analysis. A temporary fix is to set the log file size to be very small (e.g., 10k) and generate log entries to force a file rollover. The new log file should render properly. Remember to reset the log file size afterward. : Failed to start a single channel session: AGENT_ERROR_USER_LOCKED. * **Cause:** A user requested a TURing image or SMS, but their Swivel account is locked. * **Solution:** Unlock the user's account in the Swivel Admin Console. Session start failed for user: , error: Single channel image request by username is disabled. * **Cause:** A session was requested using only a username, but this feature is disabled. * **Solution:** In the Swivel Admin Console, enable **Allow Session Start by Username** or **Allow Image Request by Username**. Session start failed for user: , error: No Data for user was found. * **Cause:** The requested user does not exist in the Swivel database. * **Solution:** If the user exists in your repository (e.g., Active Directory), run a user synchronization to import them into Swivel. : Failed to start a single channel session: AGENT_ERROR_USER_NOT_IN_GROUP. * **Cause:** The user is trying to authenticate against an Agent (e.g., a specific VPN) but is not a member of the group authorized to use that Agent. * **Solution:** Add the user to the correct group in your repository. For Swivel 3.x versions, you may need to run a repository synchronization after making the change. Pinsafe license contains an error. * **Cause:** The license key is invalid or has been entered incorrectly. * **Solution:** Re-enter the license key, ensuring it is correct. ERROR - The number of users in the Pinsafe users group has exceeded the license * **Cause:** The number of active users in Swivel exceeds your licensed limit. * **Solution:** You may need to purchase a larger license. You can also purge users who are marked as "Deleted". Note that even after installing a new, larger license, this message may persist until the Tomcat service is restarted. ChangePIN failed for user: , Error: The PIN is not complex enough. * **Cause:** The user's new PIN does not meet the complexity rules defined in the Admin Console. * **Solution:** The user must choose a more complex PIN. Check your PIN policies to see the current rules. CHANGE_PIN_PIN_ERROR: * **Cause:** When changing a PIN, the original OTC (One-Time Code) entered was incorrect. * **Solution:** The user must enter their *current* valid OTC before they can set a new PIN. Change PIN failed for user: , error: CHANGE_PIN_PASSWORD_ERROR * **Cause:** The "Require password for PIN change" policy is enabled, and the password was incorrect or not provided. * **Solution:** Check the **Policy -> PIN and OTC** settings in the Admin Console to see if a password is required. Login failed for user: , error: The user does not have a PIN set. * **Cause:** The user account has no PIN associated with it. This can sometimes be related to database lock issues or time zone changes. * **Solution:** If this is unexpected, stop Tomcat and check for and delete any `.lck` files from the Swivel database directory (e.g., `.../pinsafe/WEB-INF/db/pinsafe`). Then restart Tomcat. LOG_PINSAFE_CREDENTIALS_EXCEPTION, java.lang.NumberFormatException: For input string: "" * **Cause:** Swivel was unable to read a user's PIN. This can be caused by a recent time zone change (which affects decryption) or if a user was created without a PIN. * **Solution:** Check if the appliance time zone was recently changed. If so, revert it and restart. Ensure the user has a PIN set. Loading transport class "com.swiveltechnologies.Swivel.server.transport.SmtpTransport" failed * **Cause:** Incompatible Java class versions are being used. * **Solution:** Verify any custom Java classes that have been imported to the Swivel server. Repository "Active Directory", cannot be added to the database: possibly already exists. * **Cause:** The repository name you are trying to add already exists. * **Solution:** Choose a unique name for the new repository. bash: keytool: command not found * **Cause:** The `keytool` utility (part of Java) is not in the system's path. * **Solution:** Find the `keytool` binary (e.g., `/usr/java/jre1.6.0_18/bin/keytool`) and ensure it is in the system's executable path. losing too many ticks! * **Cause:** Server clock instability, often seen on virtual machines. * **Solution:** Set the Swivel appliance to use a reliable Network Time Protocol (NTP) server. [CDATA[SYNC_ERROR, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure...]] * **Cause:** An issue with SSL protocol negotiation. * **Solution:** Edit the file `/usr/local/tomcat/conf/server.xml` and change both instances of `sslProtocols=` or `sslProtocol=` to be `sslEnabledProtocols=`. Loading the XML repository file ".../repository.xml" failed, error: ... Entity is not well-formed * **Cause:** The `repository.xml` file has become corrupted. This was a known issue in older versions when searching XML repositories. * **Solution:** This issue is resolved by upgrading to Swivel version 3.10.4 or newer. Authentication Errors --------------------- Login failed for user: * **Cause:** The user failed to log in. This is a generic message. * **Solution:** See "User login fails" documentation for a detailed troubleshooting guide. An error occurred, please check your credentials. If the error persists contact your Pinsafe Administrator. * **Cause:** A generic error shown to the user. * **Solution:** Check the Swivel logs for a more specific error message. The user does not have any security strings suitable for authentication * **Cause:** A user tried to authenticate (e.g., enter a PIN and OTC) but they do not have a valid, unexpired security string (like a TURing image or SMS). * **Solution:** The user must request a new security string *before* attempting to authenticate. admin:Credentials invalid for user "graham" * **Cause:** The incorrect OTC was entered. On older versions (pre-3.9), this could also be caused by a server time zone change, which breaks PIN decryption. * **Solution:** Ensure the correct OTC is being used. If the time zone was changed, revert it and restart the database/Tomcat. RADIUS Authentication Errors ---------------------------- ... Access-Request by Failed: AccessRejectException: * **Cause:** This is a generic RADIUS rejection. If no other `AGENT_ERROR` follows, it typically means the user entered the wrong credentials (e.g., wrong PIN or wrong OTC). * **Solution:** * Have the user re-verify their credentials. * Ensure the user is not trying to re-use an old OTC. * Try resetting the Swivel password for the user (in User Administration) to a blank value. ... AccessRejectException: AGENT_ERROR_NO_USER_DATA * **Cause:** The user attempting RADIUS authentication does not exist in the Swivel database. * **Solution:** Ensure the user exists in Swivel. If you use a domain prefix (e.g., `DOMAIN\user`), this format is not supported. Instead, configure the Swivel repository to use `userPrincipalName` (UPN) as the username attribute and have users log in with `username@domain`. ... AccessRejectException: AGENT_ERROR_BAD_OTC * **Cause:** Swivel could not extract the one-time code from the RADIUS request. This is almost always a mismatch in the RADIUS shared secret. * **Solution:** Verify that the RADIUS shared secret on Swivel *exactly* matches the shared secret configured on the NAS (e.g., your VPN appliance). ... AccessRejectException: AGENT_ERROR_NO_SECURITY_STRINGS * **Cause:** The user tried to authenticate via RADIUS but has no valid security string. * **Solution:** The user must request a security string (e.g., by visiting the TURing image page or requesting an SMS) *before* initiating the RADIUS authentication. ... AccessRejectException: AGENT_ERROR_NO_PIN * **Cause:** The user does not have a PIN set in Swivel, or Swivel cannot read the PIN (e.g., after a time zone change). * **Solution:** Ensure the user has a PIN. If a time zone change occurred, revert it and restart. LDAP (Active Directory) Errors ------------------------------ ... [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece] * **Cause:** An authentication error occurred when Swivel tried to bind to LDAP. The `data` code provides the reason. Common codes are: * **525:** User not found * **52e:** Invalid credentials (wrong password) * **532:** Password expired * **533:** Account disabled * **775:** User account locked * **Solution:** Check the service account used for LDAP synchronization. Verify its username, password, and account status in Active Directory. ... Exception occured during repository group member query... No route to host * **Cause:** A network routing or firewall issue. * **Solution:** Ensure the Swivel appliance can reach the LDAP server on the correct port (e.g., 389 for LDAP, 636 for LDAPS). Use `ping` and `telnet` to test connectivity. ... The server requires binds to turn on integrity checking if SSL\TLS are not already active * **Cause:** Your Active Directory server is configured to require secure LDAP (LDAPS). * **Solution:** Re-configure your Swivel repository to use LDAP over SSL (LDAPS) and use the correct port (usually 636). ... The object "..." is not a valid group. * **Cause:** The object defined in your repository settings (e.g., `swivel-users`) is not a group. * **Solution:** Ensure the object is a standard security group (e.g., `objectClass=group`). Swivel cannot read primary groups or Active Directory "Containers." ... The user ... has no value for username attribute . * **Cause:** A user in your sync group is missing the AD attribute that Swivel is configured to use as the username (e.g., `sAMAccountName` or `mail`). * **Solution:** Populate the missing attribute for the user in Active Directory or change the attribute Swivel uses for the username. Transport Related Errors ------------------------ The user does not have an associated alert transport * **Cause:** Swivel tried to send an alert (like a lockout notification) but no transport (e.g., email) is configured for the user. * **Solution:** In the user's settings, define an alert transport. No Transport Attribute found for User * **Cause:** Swivel tried to send a security string (e.g., an SMS) but does not know *where* to send it (e.g., the mobile number is missing). * **Solution:** Check that the Transport attribute in the repository settings is correct (e.g., `telephoneNumber` or `mobile`). Ensure the user has a value for this attribute in your repository (e.g., Active Directory). Dual channel message request failed, error: On-demand dual channel delivery is disabled. * **Cause:** A user requested an on-demand string (e.g., "Send SMS") but this feature is disabled. * **Solution:** In the Admin Console, go to **Server -> Dual Channel** and set **On-demand delivery** to **Yes**. LOG_MESSAGE_REQUEST_DISALLOWED * **Cause:** A user requested a dual-channel security string but is not authorized to do so. * **Solution:** Check the user's permissions and group memberships to ensure they are allowed to use dual-channel authentication. LOG_MESSAGE_REQUEST_FAILED_FOR_UNKNOWN_USER * **Cause:** A security string was requested for a username that does not exist in the Swivel database. * **Solution:** Check for typos in the username. Database Errors --------------- ... com.mysql.jdbc.exceptions.MySQLIntegrityConstraintViolationException ... * **Cause:** A database integrity error, often seen during data imports or migrations between versions. * **Solution:** This can sometimes be resolved by setting the **Allow user to change repository** option and restarting Tomcat. ... Exception occurred during database access, exception: SQL Exception: A lock could not be obtained within the time requested * **Cause:** The database is locked. This can occur on older versions (pre-3.9) if the server time zone is changed. * **Solution:** Revert any time zone changes and restart the database service (or restart Swivel/Tomcat). ... Transaction (Process ID 70) was deadlocked on lock resources with another process * **Cause:** A database deadlock in Microsoft SQL Server. The connection to the database may have been lost. * **Solution:** The transaction was automatically killed. Re-run the transaction. Check network stability between Swivel and the SQL server. ... The TCP/IP connection to the host has failed. java.net.ConnectException: Connection refused * **Cause:** Swivel cannot connect to the external database server (e.g., MS SQL). * **Solution:** Verify network connectivity. Check that the database server is running, and that firewalls are allowing traffic on the correct SQL port.