Error: Client IP 'x' and Session IP 'y' do not match in Web Agent
search cancel

Error: Client IP 'x' and Session IP 'y' do not match in Web Agent

book

Article ID: 246056

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running Web Agent integrated with API Gateway, once the login occurs on the API Gateway, then when the browser request API Gateway for logoff, the routing to the Web Agent occurs, but the Web Agent is unable to handle the request as it reports that the IP of the caller differs of the IP of the requester who has login first:

  [06/29/2022][16:55:48][7449][1674766464][CSmHttpPlugin.cpp:767][CSmHttpPlugin::ProcessResource]
  [0000000000000000000000006813a60a-1d19-62bc67f4-63d2e880-6476726f27bf][10.0.0.1][][myACO]
  [/siteminderagent/forms/logoff.fcc][]
  [Autoauthorizing URL : 'http://myHost.myDomain.com/siteminderagent/forms/logoff.fcc' , Method: 'GET' ]

  [06/29/2022][16:55:48][7449][1674766464][CSmHttpPlugin.cpp:6628][CSmHttpPlugin::ProcessSessionCookie]
  [0000000000000000000000006813a60a-1d19-62bc67f4-63d2e880-6476726f27bf][10.0.0.1][][myACO]
  [/siteminderagent/forms/logoff.fcc][][SMSESSION cookie - Client IP '10.0.0.1' and Session IP '10.0.0.2' do not match.]

"TransientIPCheck" and "PersistentIPCheck" have been set to yes (1) without success.

The API Gateway Agent ACO is configured:

  ACO for the API Gateway:

  CookiePath  --> COMMENTED OUT (default: no)
  CookiePathScope -->COMMENTED OUT (default: /root)
  CookieDomain  --> .myDomain.com
  CookieDomainScope --> 2
  CookieValidationPeriod --> COMMENTED OUT (default: no)
  PersistentCookies --> yes
  SSOZoneName --> SM
  UseSecureCookies --> no
  UseHttpOnlyCookies --> COMMENTED OUT (default: " ")

 

Cause

 

At first glance, this issue occurs because of the implementation of IP checks at the Web Agent level, and the requester IP isn't the same as when accessing the API Gateway and then accessing the Web Agent (2).

By default, Web Agent ACO is set that way, which means the Web Agent doesn't do IP checks.

  [3839/696628992][Thu Jun 30 2022 08:48:20] persistentcookies='no'.
  [3839/696628992][Thu Jun 30 2022 08:48:20] persistentipcheck='yes'.
  [3839/696628992][Thu Jun 30 2022 08:48:20] transientipcheck='no'.

 

Resolution

 

Configure both ACO to have persistentcookie, and the Web Agent like this:

  [3839/696628992][Thu Jun 30 2022 08:48:20] persistentcookies='yes'.
  [3839/696628992][Thu Jun 30 2022 08:48:20] persistentipcheck='yes'.
  [3839/696628992][Thu Jun 30 2022 08:48:20] transientipcheck='no'.

and login in to the API Gateway, browse the Web Agent resources, and the logoff will work without the error message:

  
   SMSESSION cookie - Client IP 'yy.yy.yy.yy' and Session IP 'xx.xx.xx.xx' do not match

Usually, persistentipcheck is set for the same browser to use the same cookie, and to prevent another machine to use it.

In case there's a load balancer in front of the Web Agent, configure the customipheader ACO parameter to pass the PC IP Address instead of the load balancer one (3)(4).

With all set to no, Siteminder doesn't check the IP of the requester with the one written in the SessionSpec of the SMSESSION cookie (5)(6).

 

Additional Information

 

(1)

    Client IP and SMSESSION IP do not match after WAOP upgrade
    

(2)

    Compare IP Addresses to Prevent Security Breaches

      If you enabled PersistentCookies, set PersistentIPCheck to yes.
      If you did not enable PersistentCookies, set TransientIPCheck to yes. 

    

(3)
    
    How works WebAgent ACO parameter CustomIPHeader
    

(4)
  
    Client ip in smaccess logs
    

(5)

    Error: Invalid session ip in Policy Server
    

(6)
    
    What information is stored in the SMSESSION Cookie
    

Powered by Wolken Software