Environment
Novell Access Manager 3.1 Service Pack 3
Novell Access Manager 3.1 SSLVPN Service Pack 3
The traditional SSLVPN Server protected by by a Linux Access Gateway has been installed on a dedicated SLES machine
Novell Access Manager 3.1 SSLVPN Service Pack 3
The traditional SSLVPN Server protected by by a Linux Access Gateway has been installed on a dedicated SLES machine
Situation
- Enterprise SSLVPN client session disconnects after about 3 minutes since Novell Access Manager 3.1 Service Pack 3 has been installed
- The Identity Server "Default Timeout" and the SSLVPN "Inactivity Timeout (Minutes)" has been set to 30min
- Time Per Protected Resource (TOPPR) has not been enabled / configured
- A Full - Tunnel traffic rule has been configured for all users
- An internal DNS server has been configured to get assigned as soon as an SSLVPN connection has been established
Resolution
Running the keep-alive requests through the SSLVPN tunnel is not supported. With a Full-Tunnel traffic rule you have to make sure that DNS entries for the NIDP server and the SSLVPN protected resource resolve to the public IP address and the SSLVPN Basic Configuration Identity Server / Linux Access Gateway IP address has been configured
As a temporary workaround you can lower the security on your Linux Access Gateway using the "lagDisableAuthIPCheck" touch file. Please use the Novell Access Manager 3.1 SP3 documentation for further details on this touc file
As a temporary workaround you can lower the security on your Linux Access Gateway using the "lagDisableAuthIPCheck" touch file. Please use the Novell Access Manager 3.1 SP3 documentation for further details on this touc file
Additional Information
Using a HTTP header trace for troubleshooting the disconnect problem shows that the Linux Access Gateway protecting the SSLVPN server requires the user to re authenticate on running a client initiated keep-alive request. With Novell Access Manager Service Pack 3 a stronger check on the user session cookie and the used IP address will be used (NAM3.1 SP3 default).
The DNS server which has been configured for SSLVPN clients resolves DNS name entries for the NIDP server and the SSLVPN protected resource to private addresses. Any keep-alive packet will arriving at the protected resource will now use a source address out of the "Assigned IP Address Pool For Enterprise Mode" which makes the user session invalid based on the stronger security policy used on validating the user session cookie
The DNS server which has been configured for SSLVPN clients resolves DNS name entries for the NIDP server and the SSLVPN protected resource to private addresses. Any keep-alive packet will arriving at the protected resource will now use a source address out of the "Assigned IP Address Pool For Enterprise Mode" which makes the user session invalid based on the stronger security policy used on validating the user session cookie