7 Replies Latest reply on Oct 25, 2012 12:17 PM by Bob Biros

    On-Demand session terminated due to changed IP address

    Kevin Campbell Apprentice

      My company uses Webroot, a cloud-based internet proxy and content filter.  Because they are cloud-based, when they perform load balancing our traffic may be routed through other servers in their farm.  This causes my Ariba-perceived IP address to alter dramatically.  Ariba looks upon this as a potential session hijack attempt and promptly terminates the session with an ominous warning.

       

      This happens without warning and in purely random fashion.  Ariba's stock answer is "talk with your IT department to adjust your settings."  Well, my IT department is the one who selected the proxy/filter a year or more before we implemented Ariba.  We are using SAP R/3 as our ERP and SAP SRM as our procurement app talking to Ariba.

       

      Surely we can't be the only medium/large enterprise using a cloud-based proxy.  Someone else must be doing it this way and is either suffering this same problem we are OR they've figured out a solution.  I would love to hear from anyone who has/had this problem - especially if you have SOLVED it.

       

      Kevin Campbell

      Albemarle

      kevin.campbell@albemarle.com

       

      IP_addr_switch.jpg

        • Re: On-Demand session terminated due to changed IP address
          Carlos Moreno Journeyman

          Hi Kevin,

           

          Well I am not an expert in this kind of proxy matters, but I really think this is an issue that definitely must be solved by your IT department. The behaviour of Ariba is quite normal to prevent any kind of hacking against customers' data. This does not only happens in Ariba solutions, but if you log in to Google, Facebook, Yahoo, or whichever site that uses a session cookie, and then in the middle of the session you suddendly change the IP, I bet you will get a similar error.

           

          I mean, think of it like this: you log in with your username and password from an IP (which for the server is like you are at a precise physical location). If you log out, change the IP and log in again nothing happens since you are logging in from a different location, but from the beginning of the whole session. What it seems to me really weird is that your servers change the IP of your computers with no warnings of closing sessions of something like that. As a result (again, in the middle of a session) Ariba detects that you have suddendly changed the IP. If you think of it carefully, this is very suspicious for a server, and blocking the session is the most normal response since a sudden IP change can be interpreted as a hacking attempt.

           

          I also had the same issue a couple of times after logging in. I lost connection to the enterprise network, got connected again, I was given a new IP by the system, and Ariba terminated my session. If your problem is that your servers are doing this continiously, then I recommend you to talk to your IT department to find a solution. Changing the IP is quite normal in all enterprises, we also do it, but only if you log out and in again to your enterprise network. Changing the IP during the course of your connection without having logged out seems to me inconvenient when it comes to sites where you need to log in with a username and password (thus storing a session cookie).

           

          Hope this helps, and hopefully you find a solution. Best regards.

            • Re: On-Demand session terminated due to changed IP address
              Kevin Campbell Apprentice

              Look, I know that IT has to solve this, but my IT department is not able to help much - at least not without a LOT more info.  SOMEONE out there in the user community has resolved this at their company.  I really need to hear from someone who has and how you did it.

                • Re: On-Demand session terminated due to changed IP address
                  AribaMax Master

                  Hi Kevin,

                   

                  Well, it's unfortunate that your IT dept. is of no help on this issue.

                   

                  As Carlos has pointed out, it's strange that the ip address has to change while the user is logged in on the same network (unless the modem is reset etc). I would like to add that it's actually more strange that Webroot had to change the subnet also. If the IT department is not helping, surely your (application) technical team could certainly reach out to Webroot quickly and confirm the facts. Also, I'm sure there must be a way in your company's webroot account settings to control the subnet (mask), which of course your dreaded IT dept has to do. And I'm sure they will oblige once you present them the information from Webroot customer support, and with a little nudge from your Business sponsor.

                   

                  Also, as a first step, you could try adding *.ariba.com as a trusted site and see if that helps before working with Webroot.

              • Re: On-Demand session terminated due to changed IP address
                Kevin Campbell Apprentice

                As I have stated, we have no control over what the cloud-based proxy does to balance traffic loads.  THAT's where our problem comes from.  When they load-balance, our traffic gets shuttled to a different server in a different subnet of their cloud.  Ariba sees that change and reacts badly.

                 

                I have new word from my IT department that Ariba is at least partially to blame for this whole mess.  We have rules baked into our infrastructure for what we THOUGHT was all our Ariba traffic.  It turns out that Ariba added an IP range without informing us.  When we initially had this problem over a year ago, we asked for all Ariba domains and IP ranges.  We asked multiple times if this was ALL that Ariba was using.  We were told that is was.  We asked to be informed of any changes as this would affect our traffic.  IT setup the firewalls and routers according to the information provided and this drastically reduced the problem for months.  Then the problem began to resurface and get steadily worse.  Ariba again provided the IP ranges and IT discovered a previously undisclosed subnet (.106) which could certainly account for the problem.

                 

                from my IT group:

                "It looks like Ariba has added a new address range to their list of addresses (the one in bold font) without notifying us.

                 

                216.109.110.0 to 216.109.111.255

                216.109.108.0 to 216.109.109.255

                216.109.104.0 to 216.109.104.255

                216.109.106.0 to 216.109.106.255

                 

                I was afraid we would be playing this cat and mouse game with them.  This will require a change to all of our routers and firewalls."

                 

                My IT group will implement the new address range in their configuration, but my fear is that this will happen many more times.  Every time someone gets "severed" in the middle of a shopping session, it breeds ill-will in my user community.  That breeds ill will between Ariba and my company overall.

                • Re: On-Demand session terminated due to changed IP address
                  Don Obrzut Novice

                  Kevin:

                   

                  Certainly understand the frustration here.  Have been working in the background on this and have reached out to wide range of internal associates who may have knowledge of this as well as those who have contact with clients to see if there are others who are experiencing similar situations with their internet proxy and content filter. Would expect to hear somthing soon, if anyone has experienced this within their company's environment.  I'll continue to update you on any progress via our meetings and email.

                   

                  Regards,