Forum Discussion

Julzor's avatar
Julzor
Icon for Altostratus rankAltostratus
Mar 15, 2020

APM with External IDP (SAML) unexpected disconnection

Hi,

As a lot of people right now, we are deploying VPN profiles in emergency.

 

For a specific scenario, we use an External IDP (SAML SSO) to connect the users, which works fine.

However, we get disconnected after a few minutes (sometimes seconds).

 

We did some testing : the issue doesn't seems to happens when we switch to RADIUS or local auth, and SEEMS to be linked with the Maximum Sessions per user parameter.

 

We had this parameter configured to 1 session max per user, and we were disconnected a LOT, even if only one session was running.

We switched the parameter to 2, which kind of improved the situation but we were still disconnected time to time.

When the parameter was configured on 2, and only my test laptop was connected (I verified in the logs, only one session existed at this time), I tried to launch F5 Access from my smartphone, which should have been OK since we allow 2 sessions per user. However, my laptop was directly disconnected.

 

Now, we disabled the Max session per user and everything is working great.

 

Any idea what could have happened?

Why would it only happened with the SAML auth (External IDP) and not with RADIUS or local auth?

 

Thank you in advance

1 Reply

  • We deployed some profiles without the Max Session Per User.

     

    We quickly saw the Active Sessions rise like hell.

     

    We do notice that some users have A LOT of session for a single device/username.

    A username has 348 actives sessions, these are "LTM_APM" sessions.

     

    Does anybody know what's going on?

    Is it SAML related?

     

    I can't figure out what to do right now.

     

    EDIT :

    We did put back the Max Session per user because it was uncontrolable, a few users could reach the 2500 Active Sessions that we as a maximum with the licence.

    But we get disconnected after a few seconds again.

     

    We did change to RADIUS authentication and now it looks like it's OK.

    It makes NO sense to me right now so if anyone has a clue, it's more than welcome.