Troubleshooting
The following topics describe some tools and strategies that might be useful when troubleshooting common setup problems.
Misconfigured primary and backup instances
Description
Challenges generated for push notification are not replicated between multiple OneSpan Authentication Server instances in a replicated environment. The whole process needs to be handled by the same instance.
Solutions
Verify that the primary and backup OneSpan Authentication Server instances defined in the DIGIPASS Gateway configuration are the same instances that your application server sends the push requests to.
You can list the OneSpan Authentication Server instances that are configured in the DIGIPASS Gateway via the OneSpan Authentication Server Administration Web Interface:
admintool type dpgateway server list
API keys on global level vs. domain level
Description
The API keys are used for HTTP authentication when connecting to the on-prem DIGIPASS Gateway. If you want to use push notification workflows with different domains, you need to configure the API keys in the respective domains or on a global level. If you configure them in a single domain, push notification workflows will only work for that particular domain, but will fail in other domains.
Unlicensed client components
Description
Depending on your deployment, you need to install different products that connect to OneSpan Authentication Server, including:
- DIGIPASS Gateway
- OneSpan User Websites
Each of these products requires a client component registered on the OneSpan Authentication Server instance. These client components determine which requests from which client (based on the client type and location) will be processed and also specify the policy settings that should be used when processing requests.
Most client components require a valid client license to be loaded into the client component record. If a client component has no valid license applied, requests to it will be rejected. This issue is indicated by an audit message "W‑014001 The license key is missing or invalid".
Solutions
Obtain and install the respective client licenses.
Firewall blocks incoming requests
Description
DIGIPASS Gateway communicates through several different network ports. If these are blocked by a firewall, some features will not work correctly.
Solutions
Before using DIGIPASS Gateway, or if you are experiencing issues, verify that the respective ports are not blocked by a firewall, and that they are not used by other services.
Some mobile client applications, such as the OneSpan Mobile Authenticator app, send requests back to the on-prem DIGIPASS Gateway via the OneSpan cloud services.
To be able to do so, you need to allow incoming traffic from the following DNS name:
from.push.onespan.cloud
Unknown DIGIPASS Push Notification Identifier (PNID)
Description
The DIGIPASS Push Notification Identifier (PNID) identifies the mobile device and authenticator application. It is basically the recipient's address of a push notification message. It is created when an authenticator is activated.
If the PNID is not set or received correctly during the activation, all subsequent push requests will fail. Note that if you attempt a push and login request without a valid PNID, you will receive an error message that the used one-time password (OTP) is incorrect.
You can verify the PNID for an authenticator (instance) using the OneSpan Authentication Server Administration Web Interface via the Push Notification Identifier field on the DIGIPASS > Activation Information tab. If this value is empty, no PNID has been set.
Possible cause
Under some circumstances the PNID registration can fail. The PNID is successfully created on the authenticator, but is not correctly registered on OneSpan Authentication Server.
Solutions
Delete the authenticator instance and perform another activation.