Symantec Privileged Access Management

  • Private Community

  • 1.  CA PAM issue with external F5 load balancer

    Posted May 16, 2018 10:30 AM

    Hi,

    We are facing issue in CA PAM while we are using external F5 load balancer for multi site clustering configuration. We have F5 GTM configured with all the PAM appliance nodes directly. whenever we try to access F5 url, user is able to authenticate successfully and dashboard is shown to the user, but after few minutes PAM is showing  PAM-UI-1003: Unauthorized error  and user is unable to perform any action. 

     

    can you help us to find out the root cause here.. in PAM client logs we see each time PAM is creating the connection and closing it too. not sure why connection is getting released and re-established again and again.

     

    Please let us know the correct external load balancer setting for PAM multi site clustering.



  • 2.  Re: CA PAM issue with external F5 load balancer

    Broadcom Employee
    Posted May 16, 2018 11:01 AM

    Hi Bipin, Is your load balancer configured to have source IP persistence? Your description would match a scenario where the load balancer does not keep a given user connected to the same PAM host. A session is only valid on the PAM server to which it was established. If your load balancer redirected the user to a different PAM cluster node at some later time, this error would be expected.



  • 3.  Re: CA PAM issue with external F5 load balancer

    Posted May 16, 2018 11:36 AM

    Load balancer is configured at GTM layer only for DNS routing. can you please tell how to configure the Source IP persistence? can we achieve this only with GTM or do we need to introduce LTM here? and anything on cluster VIP ?



  • 4.  Re: CA PAM issue with external F5 load balancer
    Best Answer

    Broadcom Employee
    Posted May 16, 2018 02:03 PM

    Hi Bipin, Please discuss this with your load balancer admin, he will be familiar with the various persistence models. While a user has a session running, the load balancer should always route communication to the same PAM instance. This works best if the load balancer connects directly to individual PAM nodes, and not to a PAM VIP. If I understand you initial post correctly, this is how you have it configured now.



  • 5.  Re: CA PAM issue with external F5 load balancer

    Posted May 16, 2018 04:18 PM

    That is correct, thank you so much for your input. I will ask our F5 team to change the configuration to enable persistence and will see how it goes. I will mark this as correct answer for now. thanks again.