the error in the log is this:

ticket: /172.24.0.1 != /172.28.2.45

something is either changing the IP of your workstation, or perhaps you are going through a load balancer to get the appserver ?

on the appserver where you see this log, how do you connect?  directly or through a load balancer ?

What is 172.24.0.1 ?  is this a network device?

what else is running on that dns server?  because for some reason, from the log, that server is initiating a request to your bladelogic config server w/ your credentials, that were obtained from your workstation.

Could be some Network Adress Translation.

We noticed the same behaviour once and used the blasadmin command to solve this.

blasadmin -a set appserver ValidateClientIpAddress true

The only remark is: it only seems to work for the application server, not for NSH proxies.

I'm running 7.6.0.313 and am looking for a way to solve this error when going through a NAT device when connecting to a NSH proxy.

[16 May 2012 08:40:02,972] [Nsh-Proxy-Thread-2] [WARN] [Anonymous:Anonymous:192.168.0.10] [BLSSOPROXY] Connection closed by /192.168.0.10:63338 before pre-authentication handshake could be completed.

[16 May 2012 08:40:02,972] [Nsh-Proxy-Thread-2] [INFO] [Anonymous:Anonymous:192.168.0.10] [BLSSOPROXY] failure establishing session with proxy service

[16 May 2012 08:40:02,972] [Nsh-Proxy-Thread-2] [INFO] [Anonymous:Anonymous:192.168.0.10] [BLSSOPROXY] NSH Proxy Connection closed

[16 May 2012 08:40:38,456] [Scheduled-System-Tasks-Thread-3] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 414842880,Free JVM (B): 361679728,Used JVM (B): 53163152,VSize (B): 546754560,RSS (B): 490541056

[16 May 2012 08:41:23,457] [Nsh-Proxy-Thread-1] [WARN] [Anonymous:Anonymous:192.168.0.10] [BLSSOPROXY] client's IP address does not match that written into ticket: /192.168.0.10 != /192.168.2.15

[16 May 2012 08:41:23,457] [Nsh-Proxy-Thread-1] [WARN] [Anonymous:Anonymous:192.168.0.10] [BLSSOPROXY] Client's session credential was rejected

com.bladelogic.mfw.util.BlException: Client's session credential was rejected

at com.bladelogic.mfw.net.BlSessionServerConnection.authenticate(BlSessionServerConnection.java:194)

at com.bladelogic.mfw.net.BlSessionServerConnection.doHandshake(BlSessionServerConnection.java:98)

at com.bladelogic.mfw.net.BlSessionNshServerConnection.doHandshake(BlSessionNshServerConnection.java:48)

at com.bladelogic.mfw.fw.BlSessionNshProxyPair.setupClient(BlSessionNshProxyPair.java:109)

at com.bladelogic.mfw.fw.BlSessionNshProxyPair.init(BlSessionNshProxyPair.java:75)

at com.bladelogic.mfw.fw.NshProxyWorkerThread.execute(NshProxyWorkerThread.java:105)

at com.bladelogic.mfw.fw.NshProxyWorkerThread.execute(NshProxyWorkerThread.java:17)

at com.bladelogic.app.service.thread.BlBlockingThread.run(BlBlockingThread.java:92)

[16 May 2012 08:41:23,457] [Nsh-Proxy-Thread-1] [INFO] [Anonymous:Anonymous:192.168.0.10] [BLSSOPROXY] failure establishing session with proxy service

[16 May 2012 08:41:23,457] [Nsh-Proxy-Thread-1] [INFO] [Anonymous:Anonymous:192.168.0.10] [BLSSOPROXY] NSH Proxy Connection closed

One is my client's ip, the other one seems to be some network device in between ( My guess is NAT translation)

Offcource i've changed the ip's with more generic ones, but the error actually occurs on a WAN connection.

There is a validateclientip address setting in blasadmin you can turn off, or you can change your network device to pass through the actual client’s ip I think.

Hi Bill,

I've looked for that but it seems to exist only on the appserver instances. Our NSH proxy is a standalone one (a seperate appserver instance on the same server)

When trying to set them via blasadmin:

bladmin>set appserver ValidateClientIpAddress false

Attribute ValidateClientIpAddress was not found in deployment nshproxy1 (file clientConnectionService.xml does not exist).

bladmin>set appserver ValidateRequestUrl false

Attribute ValidateRequestURL was not found in deployment nshproxy1 (file clientConnectionService.xml does not exist).

bladmin>

any ideas ?

I didn't see this mentioned: are you using IP addresses or names? If names, do you have bad DNS records where one name is pointing to multiple IP addresses?

what version of BSA is this?

in my 8.2 appserver i created a new instance and selected only nsh_proxy as the type and i have the validateclientipaddress and validaterequesturl settings.

Hi Bill,

I've noticed it exists in 8.2 as well. But the environment where I have the problem is still 7.6.

Hi Joe,

I'm using names but they are correct. I really think it's the NAT device in between that causes me trouble. I have to talk to telco about it some time

then i would try and get the source ips to pass through properly to the appservers.  i checked my 7.6 env and i don't see the settings there either.  you could possibly try and run the nsh proxy w/ a config instance and see if the config's validate settings apply to the proxy part as well.