After configuring ASA Agent for WebLogic we see "Authentication did not succeed" errors due to "Invalid Session IP"

Document ID : KB000008587
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We have a Web Agent protecting an Apache web server acting as reverse proxy, in front of our WebLogic application server protected with an ASA Agent for WebLogic. When we try to access the application through the reverse proxy, we authenticate successfully on the first Web Agent, but then we get a HTTP 401 Unauthorized error which is returned by the ASA Agent.

In the ASA Agent log we see:

[20 Oct 2017 12:42:16,153] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [INFO] The SiteMinder Authentication Manager is validating user with DN: "CN=MyUser,OU=MyOU,DC=MyLab,DC=com" session id: "NAr7nIAHNSI/Aj9viCDAol36zgF=" and session spec: "A90D8761/V...".
[20 Oct 2017 12:42:16,154] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [DEBUG] Authentication cache is checking the policy server for authentication.
[20 Oct 2017 12:42:16,157] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [DEBUG] Authentication did not succeed
[20 Oct 2017 12:42:16,157] [[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [ERROR] The validation request for user with DN: "CN=MyUser,OU=MyOU,DC=MyLab,DC=com" failed.

Reviewing the Policy Server smaccess log, we see the following:

ValidateReject MyServer [20/Oct/2017:12:42:16 +0200] "10.10.10.10 " "my-asa-agent GET /myrealm" [] [9] Invalid session ip [] []  

But we are not doing any persistent or transient IP checking. How can we solve this issue?

 

Environment:
Policy Server R12.52 SP1 CR01ASA Agent for WebLogic R12.0 SP1 CR00
Cause:

ASA Agent for WebLogic R12.0 SP2 base release (GA/CR00) is performing IP checking even if it is disabled for the Agent. If either the WebLogic request or the request generating the SMSESSION cookie is going through a load balancer, reverse proxy or device that provides its IP as the ClientIP for the request, the issue will happen.

This is fixed in R12.0 SP2 CR01, so in order to the ASA Agent to not perform IP checking if it is disabled for the Agent, you need to update to this CR.

Resolution:

Upgrade the ASA Agent for Web Logic to 12.0 SP2 CR01 to solve this issue.

Additional Information: