When running 2 CA Access Gateway (SPS), one protecting internal accesses, and the other one protecting external accesses.

When the user browses external resource, and after it browses the internal resources, the access doesn't get granted, as it has already an SMSESSION cookie for the domain, an error screen gets displayed asking the user to reboot his browser.

When configured for it, the Policy Server checks the IP address within the SMSESSION cookie with the browser IP, and if they differ, then the Policy Server doesn't grant access and it returns error (1)(2):

  "Invalid session ip"
  
Two solutions seem possible:

1. Remove the IP checking (finding a way to remove this security limitation so that the SMSESSION cookie is valid both on internet and inside our corporate network);
2. Use different names for the SMSESSION cookies (the 2 access gateways (internet and internal) can associate different SMSESSION cookies);

 
The good thing is that SiteMinder offers configuration for both. Implementing Security Zones will allow you to keep the IP Checking feature on.

1. Remove the IP checking by setting TransientIPCheck and PersistentIPCheck to no (3);
2. Set Security Zone for each of the CA Access Gateway (SPS) (4);

Note that, out of the box, the CA Access Gateway (SPS) Agent doesn't set an expiry date for a cookie that isn't written on the disk.

This can be set using a Post Filter in CA Access Gateway (SPS) to modify the SMSESSION cookie to the business needs (5).

1. Error: Invalid session ip in Policy Server
   
   
2. Validate Reject Invalid Session IP in Policy Server
   
   
3. Compare IP Addresses to Prevent Security Breaches
       
4. Security Zones
   
   
5. Filter API Overview