SSLVPN client disconnect the user session after a few minutes since NAM 3.1 Service Pack 3 has been installed

  • 7008354
  • 12-Apr-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1  Service Pack 3
Novell Access Manager 3.1 SSLVPN Service Pack 3
The traditional SSLVPN Server protected by by a Linux Access Gateway has been installed on a dedicated SLES machine

Situation

  • Enterprise SSLVPN client session disconnects after about 3 minutes since Novell Access Manager 3.1 Service Pack 3 has been installed
  • The Identity Server "Default Timeout" and the  SSLVPN "Inactivity Timeout (Minutes)" has been set to 30min
  • Time Per Protected Resource (TOPPR) has not been enabled / configured
  • A Full - Tunnel traffic rule has been configured for all users
  • An internal DNS server has been configured to get assigned as soon as an SSLVPN connection has been established

Resolution

Running the keep-alive requests through the SSLVPN tunnel is not supported. With a Full-Tunnel traffic rule you have to make sure that DNS entries for the NIDP server and the SSLVPN protected resource resolve to the public IP address and the SSLVPN Basic Configuration Identity Server / Linux Access Gateway IP address has been configured

As a temporary workaround you can lower the security on your Linux Access Gateway using the "lagDisableAuthIPCheck" touch file. Please use the Novell Access Manager 3.1 SP3 documentation for further details on this touc file

Additional Information

Using a HTTP header trace for troubleshooting the disconnect problem shows that the Linux Access Gateway protecting the SSLVPN server requires the user to re authenticate on running a client initiated keep-alive request. With Novell Access Manager Service Pack 3 a stronger check on the user session cookie and the used IP address will be used (NAM3.1 SP3 default).

The DNS server which has been configured for SSLVPN clients resolves DNS name entries for the NIDP server and the SSLVPN protected resource to private addresses. Any keep-alive packet will arriving at the protected resource will now use a source address out of the "Assigned IP Address Pool For Enterprise Mode" which makes the user session invalid based on the stronger security policy used on validating the user session cookie