search cancel

After configuring ASA Agent for WebLogic we see "Authentication did not succeed" errors due to "Invalid Session IP"


Article ID: 8587


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We have a Web Agent protecting an Apache web server acting as reverse proxy, in front of our WebLogic application server protected with an ASA Agent for WebLogic. When we try to access the application through the reverse proxy, we authenticate successfully on the first Web Agent, but then we get a HTTP 401 Unauthorized error which is returned by the ASA Agent.

In the ASA Agent log we see:

[20 Oct 2017 12:42:16,153] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [INFO] The SiteMinder Authentication Manager is validating user with DN: "CN=MyUser,OU=MyOU,DC=MyLab,DC=com" session id: "NAr7nIAHNSI/Aj9viCDAol36zgF=" and session spec: "A90D8761/V...".
[20 Oct 2017 12:42:16,154] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [DEBUG] Authentication cache is checking the policy server for authentication.
[20 Oct 2017 12:42:16,157] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [DEBUG] Authentication did not succeed
[20 Oct 2017 12:42:16,157] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [ERROR] The validation request for user with DN: "CN=MyUser,OU=MyOU,DC=MyLab,DC=com" failed.

Reviewing the Policy Server smaccess log, we see the following:

ValidateReject MyServer [20/Oct/2017:12:42:16 +0200] " " "my-asa-agent GET /myrealm" [] [9] Invalid session ip [] []  

But we are not doing any persistent or transient IP checking. How can we solve this issue?



ASA Agent for WebLogic R12.0 SP2 base release (GA/CR00) is performing IP checking even if it is disabled for the Agent. If either the WebLogic request or the request generating the SMSESSION cookie is going through a load balancer, reverse proxy or device that provides its IP as the ClientIP for the request, the issue will happen.

This is fixed in R12.0 SP2 CR01, so in order to the ASA Agent to not perform IP checking if it is disabled for the Agent, you need to update to this CR.


Policy Server R12.52 SP1 CR01ASA Agent for WebLogic R12.0 SP1 CR00


Upgrade the ASA Agent for Web Logic to 12.0 SP2 CR01 to solve this issue.

Additional Information

ASA Agent for WebLogic R12.0 SP2 CR01 details