When watching the real time authentication activity monitor (Reporting > Real Time Activity Monitor > Authentication Activity), there were several occurrences of the following error, which does not list an agent name or security domain, but does show an IP address:
Session operation failure processing request from agent “” with IP address “x.x.x.x” in security domain “”
Certain RSA Authentication Manager transactions take two steps instead of the typical one step to complete authentication. This includes Next Tokencode Mode, New PIN Mode, and On-Demand Authentication.
During the first step the first authentication information is entered (e. g., the passcode, the original PIN or the ODA PIN). In the second step the second piece of information is entered, e. g., the next tokencode shown on the token, the new PIN or the ODA tokencode.
If the agent does not maintain stickiness or maintain the same session, specifically if the source UDP port or IP address changes, RSA Authentication Manager will flag that second piece of information as from an unknown session and display the error message Session operation failure.
This is not an RSA issue, so there is no RSA or Authentication Manager resolution. This behavior is defined as functions as designed. That being said, there are possible agent fixes, especially to third-party agents or partner agents. These fixes would maintain the session for the second step in a two-step authentication transaction. These various fixes include settings to maintain stickiness, or if that is not possible, to disable load balancing.
As a workaround, disable load balancing or avoid these types of multi-step authentication transactions on this type of agent.