Environment
NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Manager 4.2
Situation
Since upgrading from NAM 4.2.2 to NAM 4.3.0.0-392, many users have started to report 'Page Cannot Be Displayed' errors when accessing protected resources in NAM.
Users accessing these applications are directed through the in house portal. From there, the user has icons that direct them to internal Apache Tomcat web applications that are protected by NAM and provide a single sign on experience for our users. These open in a new tab in the browser.
What's happening is that every so often when a user already has a tab open to a protected resource and they attempt to open another one, the second tab comes up with 'Page Cannot be DIsplayed'. It never does appear to reach Apache and we don't see any errors in the logs.
We do not see this issue in Chrome or Firefox. IE 11 is the standardized browser at this time.
If the user closes their browser and tries again, it works.
Resolution
Set Load Balancer session persistence be based on IP address – it was set to SSL sessionIDs, and users were getting bounced between different AGs with different session cookies.
Brocade VTM load balancer VIP set Session Persistence to SSL Session ID
Another option (not needed here) would have been to set the AG avanced option 'NAGGlobalOptions FlushUserCache=on' on 4.3.0 (not needed in 4.3.1).
Brocade VTM load balancer VIP set Session Persistence to SSL Session ID
Another option (not needed here) would have been to set the AG avanced option 'NAGGlobalOptions FlushUserCache=on' on 4.3.0 (not needed in 4.3.1).
Cause
Cookie broker handling issue with session cookies. Fixed in 4.2.5 and 4.3.3.