Forum Discussion

Sajid's avatar
Sajid
Icon for Cirrostratus rankCirrostratus
Sep 15, 2019
Solved

The client's IP address changed while the session was in progress.

SAML Authentication Error

 

Your session cloud not be established

 

The client's IP address changed while the session was in progress.

BIG-IP Access Policy Manager (APM)
security
  • Sajid's avatar
    Sajid
    Sep 15, 2019

    I have disabled this option on the APM Profile (issue fixed).

     

    Select the Restrict to Single Client IP check box to restrict the current session to a single IP address. This setting associates the session ID with the IP address. You must select the associated Custom check box before you can configure this setting. With this setting enabled, upon a request to the session, if the IP address has changed, the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.

    https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-11-2-0/8.html

     

     

4 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 16, 2019

    Hi,

     

    yes indeed I already had this problem, disabling this option on the APM Profile will fix your problem.

    however, keep in mind that this feature helps protect you from "Session hijacking" if you have an audit this is a point that the auditor can go back up.

     

    in general we encounter this type of problem if the user is in rooming, it changes wifi, or it passes on the 4g.

    but given the functionality it's normal behavior ...

     

    regards

  • Sajid's avatar
    Sajid
    Icon for Cirrostratus rankCirrostratus
    Sep 15, 2019

    I have disabled this option on the APM Profile (issue fixed).

     

    Select the Restrict to Single Client IP check box to restrict the current session to a single IP address. This setting associates the session ID with the IP address. You must select the associated Custom check box before you can configure this setting. With this setting enabled, upon a request to the session, if the IP address has changed, the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.

    https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-11-2-0/8.html

     

     

  • Sajid's avatar
    Sajid
    Icon for Cirrostratus rankCirrostratus
    Sep 16, 2019

    Hi Youssef,

     

    You are right, user faced same issue during roaming.

     

    is it possible to kill the existing or previous session, in case IP change?

     

    Regards,

    Sajid

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 17, 2019

    Hi Sajid,

     

    No, that's not possible. If the user's IP changes it is disconnected and must authenticate again.

     

    I set up certificate authentication, so it's transparent for users because they don't have to enter these credentials...

     

    regards