Advanced Session Assurance misconfiguration

Hi all,

we have a strange behaviour. Advanced Session Assurance option is disabled for our AG and IDS cluster (under Security -> Session Assurance -> IDS and AG Cluster are not checked). All proxy resource doesn't have "Enable Advanced Session Assurance" checked. 

In this configuration we are running in random user logout with this error on AG:

May  3 15:07:43 lenvnam1 httpd[23879]: [novell_ag:crit] [pid 23879:tid 139840694769408] AM#104600404 AMDEVICEID#ag-25C7C3E4C1A5BFA4: AMAUTHID#40ef1e93dbaad73061743fa1beda281b595a650c10c71e79db73c0fcdbc19e3c: AMEVENTID#33810571: logging out user with DN=cn=PM85568,ou=UTENTI,o=MINSALUTE and sessionId=7f4111a28f6dd77a2dbc27cb11d2b0216640a3f4015b992ecfaf6ca50ca12021 because of session assurance mismatch

May 3 15:07:43 lenvnam1 httpd[23879]: [novell_ag:crit] [pid 23879:tid 139840694769408] AM#104600404 AMDEVICEID#ag-25C7C3E4C1A5BFA4: AMAUTHID#40ef1e93dbaad73061743fa1beda281b595a650c10c71e79db73c0fcdbc19e3c: AMEVENTID#33810571: reason for session assurance mismatch is
May 3 15:07:43 lenvnam1 httpd[23879]: [novell_ag:crit] [pid 23879:tid 139840694769408] AM#104600404 AMDEVICEID#ag-25C7C3E4C1A5BFA4: AMAUTHID#40ef1e93dbaad73061743fa1beda281b595a650c10c71e79db73c0fcdbc19e3c: AMEVENTID#33810571: IDC mismatch:received Idc cookie is expired

IDS version is 4.3

AG version is 4.4

Someone can help us?

Thanks
 

  • Make sure you have updated all the AG devices after disabling the Session Assurance.

    Are you using Device Fingerprint during authentication ?

  • All AG devices are updated but the IDC Cookie is still present during user navigation. How can I check if Device Fingerprint is active during authentication? 

  • This is likely the same bug I've encountered a few times, that probably no one has yet raised with Micro Focus/NetIQ. I've usually seen it when declaring a new "Primary" AG node (double red plus-sign symbol) for the cluster, though there may be other code paths that lead to the same.

    Try this as a fix:

    1) Check the box to help the Admin Console believe that Session Assurance is enabled for the AG cluster (which it is, just the Admin Console isn't aware).

    2) Apply that update to the AG Cluster.

    3) Now, uncheck the box for Session Assurance on the AG cluster.

    4) Apply that update to the AG Cluster.

    Now it should be truly turned off. It's just some odd disconnect reported by the Admin Console that doesn't accurately reflect what's unintentionally/default set on the AG nodes.