000032463 - Authentication Manager 8.1 logs show "Session operation failure processing request from agent"

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032463
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1
 
IssueWatching the real time authentication activity monitor (Reporting > Real Time Activity Monitor > Authentication Activity), there were several occurrences of the following error, which does not list an agent name or security domain, but does show an IP address:
Session operation failure processing request from agent “” with IP address “x.x.x.x” in security domain “” 
Session Operation Failure
CauseCertain Authentication Manager transactions take two steps instead of the typical one step to complete authentication.  This includes Next Tokencode (NTC), New PIN, and On-Demand Authentication.
During the first step the first information is entered (e. g., the passcode, the original PIN or the ODA PIN).  In the second step the second piece of information is entered, e. g., the next tokencode shown on the token, the new PIN or the ODA tokencode.
If the agent does not maintain stickiness or maintain the same session, specifically if the source UDP port or IP address changes, Authentication Manager will flag that second piece of information as from an unknown session and display the error message "Session operation failure."
ResolutionThis is not an RSA issue so there is no RSA or Authentication Manager resolution, this behavior is defined as functions as designed.  That being said, there are possible agent fixes, especially to third-party agents or partner agents.  These fixes would maintain the session for the second step in a two-step authentication transaction.  These various fixes include settings to maintain stickiness, or if that is not possible, to disable load balancing.
WorkaroundAs a workaround, disable load balancing or avoid these types of multi-step authentication transactions on this type of agent.
NotesSee F5's knowledgebase article on enabling session persistance and check for their latest patching recommendations.  Also see the article on Citrix Netscaler load balancer configuration settings to maintain stickiness.

Attachments

    Outcomes