Error Message Reference

Introduction

Swivel Secure appliances and software write information and error messages to log files or to a Syslog. These can be viewed within the Swivel Admin Console under Log Viewer.

The logs are typically stored in: /home/swivel/.swivel/logs

This page provides information about these messages, their likely root causes, and how to fix them.

General Errors

Pinsafe is currently not able to run correctly. Please check your server.

• Context: Seen when trying to log in to the Swivel administration console.

• Solution: Check the system logs for more detailed errors.

Corrupt Log File Stack Trace on Log Viewer screen

• Cause: This is caused by invalid characters in the log file.

• Solution: To identify the root cause, retrieve the log files directly from the server for analysis. A temporary fix is to set the log file size to be very small (e.g., 10k) and generate log entries to force a file rollover. The new log file should render properly. Remember to reset the log file size afterward.

<username>: Failed to start a single channel session: AGENT_ERROR_USER_LOCKED.

• Cause: A user requested a TURing image or SMS, but their Swivel account is locked.

• Solution: Unlock the user’s account in the Swivel Admin Console.

Session start failed for user: <user>, error: Single channel image request by username is disabled.

• Cause: A session was requested using only a username, but this feature is disabled.

• Solution: In the Swivel Admin Console, enable Allow Session Start by Username or Allow Image Request by Username.

Session start failed for user: <user>, error: No Data for user was found.

• Cause: The requested user does not exist in the Swivel database.

• Solution: If the user exists in your repository (e.g., Active Directory), run a user synchronization to import them into Swivel.

<username>: Failed to start a single channel session: AGENT_ERROR_USER_NOT_IN_GROUP.

• Cause: The user is trying to authenticate against an Agent (e.g., a specific VPN) but is not a member of the group authorized to use that Agent.

• Solution: Add the user to the correct group in your repository. For Swivel 3.x versions, you may need to run a repository synchronization after making the change.

Pinsafe license contains an error.

• Cause: The license key is invalid or has been entered incorrectly.

• Solution: Re-enter the license key, ensuring it is correct.

ERROR - The number of users in the Pinsafe users group has exceeded the license

• Cause: The number of active users in Swivel exceeds your licensed limit.

• Solution: You may need to purchase a larger license. You can also purge users who are marked as “Deleted”. Note that even after installing a new, larger license, this message may persist until the Tomcat service is restarted.

ChangePIN failed for user: <user>, Error: The PIN is not complex enough.

• Cause: The user’s new PIN does not meet the complexity rules defined in the Admin Console.

• Solution: The user must choose a more complex PIN. Check your PIN policies to see the current rules.

CHANGE_PIN_PIN_ERROR:

• Cause: When changing a PIN, the original OTC (One-Time Code) entered was incorrect.

• Solution: The user must enter their current valid OTC before they can set a new PIN.

Change PIN failed for user: <user>, error: CHANGE_PIN_PASSWORD_ERROR

• Cause: The “Require password for PIN change” policy is enabled, and the password was incorrect or not provided.

• Solution: Check the Policy -> PIN and OTC settings in the Admin Console to see if a password is required.

Login failed for user: <user>, error: The user does not have a PIN set.

• Cause: The user account has no PIN associated with it. This can sometimes be related to database lock issues or time zone changes.

• Solution: If this is unexpected, stop Tomcat and check for and delete any .lck files from the Swivel database directory (e.g., …/pinsafe/WEB-INF/db/pinsafe). Then restart Tomcat.

LOG_PINSAFE_CREDENTIALS_EXCEPTION, java.lang.NumberFormatException: For input string: “”

• Cause: Swivel was unable to read a user’s PIN. This can be caused by a recent time zone change (which affects decryption) or if a user was created without a PIN.

• Solution: Check if the appliance time zone was recently changed. If so, revert it and restart. Ensure the user has a PIN set.

Loading transport class “com.swiveltechnologies.Swivel.server.transport.SmtpTransport” failed

• Cause: Incompatible Java class versions are being used.

• Solution: Verify any custom Java classes that have been imported to the Swivel server.

Repository “Active Directory”, cannot be added to the database: possibly already exists.

• Cause: The repository name you are trying to add already exists.

• Solution: Choose a unique name for the new repository.

bash: keytool: command not found

• Cause: The keytool utility (part of Java) is not in the system’s path.

• Solution: Find the keytool binary (e.g., /usr/java/jre1.6.0_18/bin/keytool) and ensure it is in the system’s executable path.

losing too many ticks!

• Cause: Server clock instability, often seen on virtual machines.

• Solution: Set the Swivel appliance to use a reliable Network Time Protocol (NTP) server.

[CDATA[SYNC_ERROR, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure…]]

• Cause: An issue with SSL protocol negotiation.

• Solution: Edit the file /usr/local/tomcat/conf/server.xml and change both instances of sslProtocols= or sslProtocol= to be sslEnabledProtocols=.

Loading the XML repository file “…/repository.xml” failed, error: … Entity is not well-formed

• Cause: The repository.xml file has become corrupted. This was a known issue in older versions when searching XML repositories.

• Solution: This issue is resolved by upgrading to Swivel version 3.10.4 or newer.

Authentication Errors

Login failed for user: <user>

• Cause: The user failed to log in. This is a generic message.

• Solution: See “User login fails” documentation for a detailed troubleshooting guide.

An error occurred, please check your credentials. If the error persists contact your Pinsafe Administrator.

• Cause: A generic error shown to the user.

• Solution: Check the Swivel logs for a more specific error message.

The user does not have any security strings suitable for authentication

• Cause: A user tried to authenticate (e.g., enter a PIN and OTC) but they do not have a valid, unexpired security string (like a TURing image or SMS).

• Solution: The user must request a new security string before attempting to authenticate.

admin:Credentials invalid for user “graham”

• Cause: The incorrect OTC was entered. On older versions (pre-3.9), this could also be caused by a server time zone change, which breaks PIN decryption.

• Solution: Ensure the correct OTC is being used. If the time zone was changed, revert it and restart the database/Tomcat.

RADIUS Authentication Errors

… Access-Request by <username> Failed: AccessRejectException:

• Cause: This is a generic RADIUS rejection. If no other AGENT_ERROR follows, it typically means the user entered the wrong credentials (e.g., wrong PIN or wrong OTC).

• Solution:

  • Have the user re-verify their credentials.

  • Ensure the user is not trying to re-use an old OTC.

  • Try resetting the Swivel password for the user (in User Administration) to a blank value.

… AccessRejectException: AGENT_ERROR_NO_USER_DATA

• Cause: The user attempting RADIUS authentication does not exist in the Swivel database.

• Solution: Ensure the user exists in Swivel. If you use a domain prefix (e.g., DOMAINuser), this format is not supported. Instead, configure the Swivel repository to use userPrincipalName (UPN) as the username attribute and have users log in with username@domain.

… AccessRejectException: AGENT_ERROR_BAD_OTC

• Cause: Swivel could not extract the one-time code from the RADIUS request. This is almost always a mismatch in the RADIUS shared secret.

• Solution: Verify that the RADIUS shared secret on Swivel exactly matches the shared secret configured on the NAS (e.g., your VPN appliance).

… AccessRejectException: AGENT_ERROR_NO_SECURITY_STRINGS

• Cause: The user tried to authenticate via RADIUS but has no valid security string.

• Solution: The user must request a security string (e.g., by visiting the TURing image page or requesting an SMS) before initiating the RADIUS authentication.

… AccessRejectException: AGENT_ERROR_NO_PIN

• Cause: The user does not have a PIN set in Swivel, or Swivel cannot read the PIN (e.g., after a time zone change).

• Solution: Ensure the user has a PIN. If a time zone change occurred, revert it and restart.

LDAP (Active Directory) Errors

… [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]

• Cause: An authentication error occurred when Swivel tried to bind to LDAP. The data code provides the reason. Common codes are:

  • 525: User not found

  • 52e: Invalid credentials (wrong password)

  • 532: Password expired

  • 533: Account disabled

  • 775: User account locked

• Solution: Check the service account used for LDAP synchronization. Verify its username, password, and account status in Active Directory.

… Exception occured during repository group member query… No route to host

• Cause: A network routing or firewall issue.

• Solution: Ensure the Swivel appliance can reach the LDAP server on the correct port (e.g., 389 for LDAP, 636 for LDAPS). Use ping and telnet to test connectivity.

… The server requires binds to turn on integrity checking if SSLTLS are not already active

• Cause: Your Active Directory server is configured to require secure LDAP (LDAPS).

• Solution: Re-configure your Swivel repository to use LDAP over SSL (LDAPS) and use the correct port (usually 636).

… The object “…” is not a valid group.

• Cause: The object defined in your repository settings (e.g., swivel-users) is not a group.

• Solution: Ensure the object is a standard security group (e.g., objectClass=group). Swivel cannot read primary groups or Active Directory “Containers.”

… The user … has no value for username attribute <AttributeName>.

• Cause: A user in your sync group is missing the AD attribute that Swivel is configured to use as the username (e.g., sAMAccountName or mail).

• Solution: Populate the missing attribute for the user in Active Directory or change the attribute Swivel uses for the username.

Transport Related Errors

The user does not have an associated alert transport

• Cause: Swivel tried to send an alert (like a lockout notification) but no transport (e.g., email) is configured for the user.

• Solution: In the user’s settings, define an alert transport.

No Transport Attribute found for User

• Cause: Swivel tried to send a security string (e.g., an SMS) but does not know where to send it (e.g., the mobile number is missing).

• Solution: Check that the Transport attribute in the repository settings is correct (e.g., telephoneNumber or mobile). Ensure the user has a value for this attribute in your repository (e.g., Active Directory).

Dual channel message request failed, error: On-demand dual channel delivery is disabled.

• Cause: A user requested an on-demand string (e.g., “Send SMS”) but this feature is disabled.

• Solution: In the Admin Console, go to Server -> Dual Channel and set On-demand delivery to Yes.

LOG_MESSAGE_REQUEST_DISALLOWED

• Cause: A user requested a dual-channel security string but is not authorized to do so.

• Solution: Check the user’s permissions and group memberships to ensure they are allowed to use dual-channel authentication.

LOG_MESSAGE_REQUEST_FAILED_FOR_UNKNOWN_USER

• Cause: A security string was requested for a username that does not exist in the Swivel database.

• Solution: Check for typos in the username.

Database Errors

… com.mysql.jdbc.exceptions.MySQLIntegrityConstraintViolationException …

• Cause: A database integrity error, often seen during data imports or migrations between versions.

• Solution: This can sometimes be resolved by setting the Allow user to change repository option and restarting Tomcat.

… Exception occurred during database access, exception: SQL Exception: A lock could not be obtained within the time requested

• Cause: The database is locked. This can occur on older versions (pre-3.9) if the server time zone is changed.

• Solution: Revert any time zone changes and restart the database service (or restart Swivel/Tomcat).

… Transaction (Process ID 70) was deadlocked on lock resources with another process

• Cause: A database deadlock in Microsoft SQL Server. The connection to the database may have been lost.

• Solution: The transaction was automatically killed. Re-run the transaction. Check network stability between Swivel and the SQL server.

… The TCP/IP connection to the host has failed. java.net.ConnectException: Connection refused

• Cause: Swivel cannot connect to the external database server (e.g., MS SQL).

• Solution: Verify network connectivity. Check that the database server is running, and that firewalls are allowing traffic on the correct SQL port.