Getting error message : "Failed to start access agent" trying to loging into PAM Client
search cancel

Getting error message : "Failed to start access agent" trying to loging into PAM Client

book

Article ID: 399694

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

There is a vendor whose users connect to a Windows target server via MS-RDP using PAM Client. The typical connection flow is as follows:

The user connects to GlobalProtect Remote VPN.

The user accesses https://<server> (PAM Cluster VIP).

The PAM vip redirects the session to one of the three PAM appliances.

The user installs the PAM Client (v4.2.1).

The user successfully connects via PAM Client to the target server through MS-RDP.

This process works as expected for all users except one or two users

During troubleshooting realized the issue is linked with VPN

The issue repeated on other user, which was solved by switching IPSEC mode of Global Protect Remote VPN to the SSL.
 
There is a need to Identify the root cause, which seems linked to using IPSEC

Cause

Networking issue see details on resolution

Resolution

The root cause is "session level persistence is not maintained while connecting via IPSEC".

The requirement for session level persistence is defined by PAM because the authenticated session must remain on a single PAM appliance. Communication cannot be redirected to a second appliance after the session is started.

When using IPSEC the communication path for some users are starting on path 1 but probably due to some load based calculations at the hardware level are being redirected to path 2 trying to get to the same PAM appliance. Because path 2 is being seen as a new connection by their routers it is being directed to a second PAM appliance. The PAM application cannot correct or force their network to stop doing this. Using the SSL application level security, the hardware paths are less important to the connections so their routers can maintain the path (at a virtual level) to the same PAM appliance based on "source persistence".  To verify this you can use the IPSEC method and not use the LB address to connect, only use the specific IP of the one PAM appliance.  

The basic differences between the protocols are defined below but the reason for the lack of session persistence (even when using IPSEC) can only be defined by your network team. 

The difference between SSL and IPsec VPNs.

 

Powered by Wolken Software