In case PAM users launch a CA PAM client on a jump server, e.g. to a Terminal Server acting as a Jump server, rather than having the PAM client installed on their own workstation, and then connect to various devices using TCP/UDP services assigned in access policies, the users may see pop-up messages as seen in the title, and other messages as described below.

For demonstration the following service is configured as a TCP/UDP service to allow users to connect to SSH target servers with the PuTTY client installed on the jump server:

This WindowsPuTTY service is configured for multiple UNIX/Linux devices for users to connect to these devices.

The service works only for the first user connecting to the terminal server and launching the PAM client.

Subsequent users who login to the same terminal server and launch the PAM client will see a bind failure after logon to PAM:

If they acknowledge the message and launch the WindowsPuTTY service to connect to a target server, the first user with the working PAM client session would get a popup similar to the following:

This message alerts the first user that another user is trying to connect to the local IP and port that his PAM client instance is listening on.

Selecting Yes will allow the connection to proceed for the other user.

Selecting No will result in the following error on the other user's session:

This affects environments where different users launch the PAM client on the same host in parallel, such as when PAM users are instructed to connect to a jump server and launch the PAM client from there.

When the access page loads, the PAM client opens listener sockets based on the services assigned in access policies for the logged-on user. The service configuration shown above instructs the PAM client to create a listener socket using local IP 127.1.0.10. Since only a single port was configured in the Ports field, this represents both the port to use to connect to the target device, and also the port to use for the local listener socket. The first PAM client instance successfully creates a listener socket:

>netstat -abno | findstr "127.1.0.10:22" | findstr LISTEN
  TCP    127.1.0.10:22          0.0.0.0:0              LISTENING       13676

13676 is the PID of the PAMClient.exe process launched by the first user.

When the second user launches the PAM client, it cannot create such a listener socket, because the <IP>:<port> combination is in use already. If the second user acknowledges the bind failure and proceeds with launching the service, the PuTTY client will connect to the listener port opened by the first PAM client instance, triggering the "suspicious incoming connection" warning on the first user's desktop.

Reconfigure your services to use a random port for the local listener socket using the wildcard character '*'. This instructs the PAM client to create the listener socket using an available random/ephemeral port. For the service above this would mean replacing "22" in the Ports field with "22:*"

Note that such popups can also be caused by 3rd-Party software doing port scans on local IPs, typically security software looking for vulnerabilities, see KB 16880.