This article describes the NetScaler and Shibboleth configuration details required for Service Provider initiated SAML Single Logout with NetScaler being the Service Provider (SP) and Shibboleth being the Identity Provider (IDP).
For SAML SSO configuration, refer to CTX138748 - How to Configure NetScaler as SAML Service Provider and Shibboleth as SAML Identity Provider.
This article contains the following sections:
In the Service Provider initiated logout model, user will use the Service Provider as the portal and will send logout request to the Service Provider. At this point, Service Provider sends a logout request to IDP through user’s browser. IDP then logs out user session and sends confirmation to SP in a logout response, at the receipt of which SP clears the existing session and presents a logout page to the user. This flow is depicted in the following diagram:
NetScaler version 10.5 build 55.x.
Shibboleth-IdentityProvider version 2.4.2 and higher.
Traffic Manager (TM) vserver currently retrieves the logout URL of the IDP from assertion. It is the IDP location where you want to POST the SAML Logout Request. However, if some IDP does not send this value, use the parameter "logoutUrl" in samlAction which can be configured with the value for logout URL and this value is used if IDP does not send logoutURL as an attribute. If IDP sends the logoutURL in assertion, then this is used.
Add SAML action as per the following command:
add authentication samlAction shibboleth -samlIdPCertName shib-idp-242 -samlSigningCertName nssp-cert -samlRedirectUrl "https://idp.wi.int/idp/profile/SAML2/POST/SSO" -samlUserField nameid -samlIssuerName nssp.nsi-test.com -logoutURL https://idp.wi.int/idp/profile/SAML2/POST/SLO
Configure the TM TrafficAction/Policy as per the following command and bind it to the TM vserver so that when the user accesses the logout page, NetScaler will respond with 200OK containing a hidden form with SAML Logout Request. The Logout Request is posted at the IDP’s logout URL and on successful logout at the IDP, IDP will post SAML Response back to NetScaler. On receiving Logout Response from IDP, NetScaler will remove the aaa session and direct the user to the logout page.
Add tm trafficaction logout –initiatelogout ON
Add tm trafficpolicy logout http.req.url.contains(“logout”) logout
Add the following configuration to handler.xml file:
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"> <ph:RequestPath>/SAML2/POST/SLO</ph:RequestPath> </ph:ProfileHandler>
The IDP metadata file should contain the following element after the <SingleSignOnService…/> element:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.wi.int/idp/profile/SAML2/POST/SLO" />
The SP metadata file should contain the following element after the <md:AssertionConsumerService …/> element:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nssp.nsi-test.com/cgi/tmlogout"/>
If you want to send the LogoutUrl as an attribute in the SAML Response from Shibboleth then add the following configuration in attribute-filter.xml file:
<afp:AttributeFilterPolicy id="logoutUrl"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="logoutUrl"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Also add the following configuration in attribute-resolver.xml file:
<resolver:AttributeDefinition id="logoutUrl" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="logoutUrl"> <resolver:Dependency ref="staticAttributes" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:logoutUrl" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.6" friendlyName="logoutUrl" /> </resolver:AttributeDefinition> <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static"> <dc:Attribute id="logoutUrl"> <dc:Value>https://idp.wi.int/idp/profile/SAML2/POST/SLO</dc:Value> </dc:Attribute> </resolver:DataConnector>
The following is a sample SAML logout request:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.wi.int/idp/profile/SAML2/POST/SLO" ID="_5fa98c04fb52e1b9d40b973d90d5e8d5" IssueInstant="2014-11-28T05:44:43Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">nssp.nsi-test.com</saml:Issuer><Signature><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#_5fa98c04fb52e1b9d40b973d90d5e8d5"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>LE3yhSWD1kRgN2Vc51iEZSv6/RQ=</DigestValue></Reference></SignedInfo><SignatureValue>M9/smcykeqwLpGOnR+qeocRe3jXjXCxTuQQA0e/g3lhdQMypXvvn6Iirg2DJiQ1zAkeAX7XCqkQAkDWKyGT8nwvn55aroTsJzPOYVObvQz9v0RrSuGbkqswUazZ5uLI4J7TByOq25ULIl5ehMEI4G/ENhK8F5f0UKPpktNf9axE=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIE1DCCA7ygAwIBAgIKGlabWgAAAAAAgjANBgkqhkiG9w0BAQUFADBSMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIbnNpLXRlc3QxITAfBgNVBAMTGG5zaS10ZXN0LU5TSS1EQzEtMjAwOC1DQTAeFw0xNDAyMjExOTEwNTdaFw0xNjAyMjExOTEwNTdaMEcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQ2l0cml4MRowGAYDVQQDExFuc3NwLm5zaS10ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4KE2gs+vLJy78M/sx7cbG/gDDNn5j1KBZbubriBJJixoh95JjS3YJqO1i3Cg0CN8zOLZ+US7TPCtiJfFO85RM6bN05BFftZ1gcCHuKMBZa/1zUk+Gdq300MwvbjNHVj+iY6286ip6LnMnPnwpnWMGE9UuGyKg7tmCeytCAH5VYMCAwEAAaOCAjkwggI1MB0GA1UdDgQWBBQsxFyRvudiAtVlQR+y6FHy+6wlSzAfBgNVHSMEGDAWgBRmGE5kCNNJfSewnZVBoJSExpvinTCB3AYDVR0fBIHUMIHRMIHOoIHLoIHIhoHFbGRhcDovLy9DTj1uc2ktdGVzdC1OU0ktREMxLTIwMDgtQ0EsQ049TlNJLURDMS0yMDA4LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW5zaS10ZXN0LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsGCCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xkYXA6Ly8vQ049bnNpLXRlc3QtTlNJLURDMS0yMDA4LUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW5zaS10ZXN0LERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEARYed6c0vovmIlp4rXgFTECkQkHTREFW+yn2+sxd6txgSr22Apv5GKtPTxoNAVD7GvPOrZX47fEDDdp4KA6hqunwLxPVRpY/fVpAwom9FZktwjwFy+gnCWSUqovAjz314p633NGD/thQA8/BbaVo0ZLCm1/r0t3Y9ynFYncKWxPAbzvJBWzjcJ20N0ORkGB7wnqaQ6FM6gCMyfQC7hfDfO62ba7kMz4tkSqM11vMQMtkZsYiTfTN8677UZk9Y1hJ7sz6wcS1gRLOH6dt/deERY7bTePxTKoLwNNhunMe1u58gM16iZt/vOsMJHSMQ4USOf/PhGbWPKhUVGn1j9HZvbw==</X509Certificate></X509Data></KeyInfo></Signature><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">_c362284b02861dfb8e40b025e031372e</saml:NameID><samlp:SessionIndex>_24f642fcd26216bc421af33d91e686e3</samlp:SessionIndex><saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2014-11-28T05:39:43Z" NotOnOrAfter="2014-11-28T05:49:43Z"></saml:Conditions></samlp:LogoutRequest>
The SessionIndex in the SAML Logout Request should be the same as the one in the SAML Response Assertion sent from IDP when the session was created.
The following is a sample SAML logout response:
<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://nssp.nsi-test.com/cgi/tmlogout" ID="_4c9d0ad748372d11d257516598030c50" InResponseTo="_5fa98c04fb52e1b9d40b973d90d5e8d5" IssueInstant="2014-11-28T05:44:41.232Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">nssp.nsi-test.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_4c9d0ad748372d11d257516598030c50"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>YxJDI0uIXUH+2QgwB6auTvWBJDw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nelmajhH6H5F3wx2IPLd7sXXHTfejwTaE6r0zDCTifMgtIacgkJ2jwEGowj9JcWFS/RKO6skbxRIj9j4F0KF5vuen2WF71IfWfKNdRfXYWbo+/LdILD6sLhRgU/Qpr0CgFyh7RCCRWzJrGFGZIs3HcwzhRurv+UPu0dylhiG5iaNDjXJ3HhQkHQZH21pEzcbFpeW6jHce/brY7OQ5GXxQb5iSPPXetxgD+3X9/ekZKdhmXtqnPOvrbaFJeDi+5jfNhR1NCnNQyE6MwyRgTSt+uGNX33d7TinQ+3XlnFqngIuNnk4L2nS06bUMon+M6MQV6TGujBYL1i+LsLPIqsxBQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDFDCCAfygAwIBAgIVAKYIviNfxiFU9lW64DRokfwN8b2VMA0GCSqGSIb3DQEBBQUAMBUxEzAR BgNVBAMMCmlkcC53aS5pbnQwHhcNMTQwOTI5MjMwMzQ3WhcNMzQwOTI5MjMwMzQ3WjAVMRMwEQYD VQQDDAppZHAud2kuaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0D1He1EDxyXk xhjjj61JH21zBfAqHg8hiTgVuJUyu1ohMKk2qCIdqOa5XD+bdkViBaGzyGcoO6qIx54340/G6CtR zf+oJJxLgrTvp5dzwgGnbJ7V6r4/7sFuL7bAaBNmZ2scAVteR4pRQCb6haMEyo4khSOmt6Q1QvVS nygpTRfei7LOQ0ubmqXLU40HEtm6vB8geKeXmrdqd3reZT+dS2BePCJgDrFKJrLIBIKyD2uwca2u 5ll93oyWVCjeHAS2baXcX/S5IT5ADYh/oU1zQl0sbFRzKZdbOwukHd2TtdVknpk3AEKNJ/C7pkSq DeFAcPdqYCj+b5eCPC9WWa2A4QIDAQABo1swWTAdBgNVHQ4EFgQU0joR/nLtsCZoCWtvh2uLXKpS DAYwOAYDVR0RBDEwL4IKaWRwLndpLmludIYhaHR0cHM6Ly9pZHAud2kuaW50L2lkcC9zaGliYm9s ZXRoMA0GCSqGSIb3DQEBBQUAA4IBAQCyk68SmIaqj5ZdqT5zF2egKYtsFDf17TXM2Gsgz1mzAL25 nBYfLMiNMqx+WVee0Wy2R4ADS5vvVjhDwICqmzxj2K8MneEfcta9nrMW8xWbrMaWbLpE+ILoRCk+ f1yNLa5fyXgE0phtIefAD9k7z6dArF8TPKHyOrXkEnpjmcdMGPehikheMlC4qJOwOFXPKBBgEHxk w8KQcYP3AGlYy0PRnZBDezMjReF2C5e/cKTUGTnazBdpgbL1VWj/CsVLUvnl2PTDz/y4KxYnDt5R 0j2yuZx1Nwg/W8C512xyNBPpG7xORC3DBnIReSuW1SoB6WLrTLiUKvs4c4S/mnPpE7sV</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/></saml2p:StatusCode></saml2p:Status></saml2p:LogoutResponse>
The following is the SAML SLO counters on NetScaler:
root@ns# nsconmsg -g saml -d stats | grep logout 17 0 0 saml_parse_logout_fail 19 0 0 saml_tot_sp_init_logout
The following are the debug messages in ns.log file:
root@ns# tail -f /var/log/ns.log Jan 13 23:22:17 <local0.debug> 10.217.28.160 01/13/2015:23:22:17 GMT 0-PPE-0 : AAATM Message 3296 0 : "SAML: Parsed attribute: logouturl, value: https://idp.wi.int/idp/profile/SAML2/POST/SLO" Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM HTTPREQUEST 927 0 : Context _57007c730f84b76545378fd2e042fc95@10.252.112.245 - SessionId: 58- nssp.nsi-test.com User _57007c730f84b76545378fd2e042fc95 : Group(s) N/A : Vserver 10.217.28.163:443 - 01/13/2015:23:22:22 GMT GET /logout.html - - Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 928 0 : "cookie idx is 15, tmaaa cookie 9, temp cookie 95" Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 929 0 : "SAML: Prepare Signature, Digest Method 1, SignedInfo used for digest is <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_5b0a0f6b2f6eec89cdf607eb6935af8d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>Vd8/4X1ydJekYoWX8KMDSKZ/XWI=</ds:DigestValue></ds:Reference></ds:SignedInfo>" Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 930 0 : "SAML: Prepare Signature, Signature element is <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_5b0a0f6b2f6eec89cdf607eb6935af8d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>Vd8/4X1ydJekYoWX8KMDSKZ/XWI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Q7iXUJVE59jiSfUZeS4OPhapBNcDnAopi1dMjforxwYanl8QMiFNKOkaiCd8oqtj+YbrvskDx2jZ/RzHbC497qbJBjjo28CDX/EgPmeN1tYaVCSgMcO6xim0R1FOqWDp Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 931 0 : "SAMLIDP: LogoutResponse: signature method seen is 4" Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 932 0 : "SAMLIDP: LogoutResponse: digest method seen is 1" Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 933 0 : "SAML verify digest: digest algorithm 1, input for digest: <saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://nssp.nsi-test.com/cgi/tmlogout" ID="_46ea47ff2626dde8a54e95c4d8163e21" InResponseTo="_5b0a0f6b2f6eec89cdf607eb6935af8d" IssueInstant="2015-01-13T23:22:18.006Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">nssp.nsi-test.com</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"></saml2p:StatusCode></saml2p:StatusCode></saml2p:Status></saml2p:LogoutResponse>" Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 934 0 : "SAML signature validation: algorithm is 4 input buffer is: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_46ea47ff2626dde8a54e95c4d8163e21"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>hk54mIw1a7WB7MqvkkPOsLJx5i4=</ds:DigestValue></ds:Reference></ds:SignedInfo>” Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM HTTPREQUEST 936 0 : Context _57007c730f84b76545378fd2e042fc95@10.252.112.245 - SessionId: 58- nssp.nsi-test.com User _57007c730f84b76545378fd2e042fc95 : Group(s) N/A : Vserver 10.217.28.163:443 - 01/13/2015:23:22:22 GMT GET /logout.html - - Jan 13 23:22:22 <local0.debug> 10.217.28.160 01/13/2015:23:22:22 GMT 0-PPE-1 : AAATM Message 937 0 : "cookie idx is 15, tmaaa cookie 9, temp cookie -1" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : SSLLOG SSL_HANDSHAKE_SUCCESS 1026 0 : SPCBId 561 - ClientIP 10.252.112.245 - ClientPort 50164 - VserverServiceIP 10.217.28.163 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session Reuse Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : SSLLOG SSL_HANDSHAKE_SUCCESS 1027 0 : SPCBId 563 - ClientIP 10.252.112.245 - ClientPort 50165 - VserverServiceIP 10.217.28.163 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session Reuse Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : AAATM Message 1028 0 : "mp creating session on 2, pck 1421191337, state 16" Jan 13 23:22:25 <local0.err> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : SSLVPN REMOVE_SESSION 1029 0 : Sessionid 58 - User _57007c730f84b76545378fd2e042fc95 - Client_ip 10.252.112.245 - Nat_ip "Mapped Ip" - Vserver_ip 10.217.28.164 - Errmsg "user initiated remove aaa session" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : SSLVPN Message 1030 0 : "SSID 3a remove session PE : 2, owner : 0, ref : 0, exp : 0" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : SSLVPN Message 1031 0 : "removing session 58" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-0 : SSLVPN Message 3309 0 : "SSID 3a remove session PE : 0, owner : 1, ref : 0, exp : 0" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-0 : SSLVPN Message 3310 0 : "removing session 58" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-0 : SSLVPN Message 3311 0 : "vpn log logout message for 58 10ms ticks 9b41c1" Jan 13 23:22:25 <local0.info> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-0 : AAATM LOGOUT 3312 0 : Context _57007c730f84b76545378fd2e042fc95@10.252.112.245 - SessionId: 58- User _57007c730f84b76545378fd2e042fc95 - Client_ip 10.252.112.245 - Nat_ip "Mapped Ip" - Vserver 10.217.28.163:443 - Start_time "01/13/2015:23:22:17 GMT" - End_time "01/13/2015:23:22:25 GMT" - Duration 00:00:08 - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "FreedViaDHT" - Group(s) "N/A" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : AAATM Message 1032 0 : "SAMLSP dht-free: Core 2: freeing entry for _4f91c30925c5a15d21ed176a44690ec3" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-2 : AAATM Message 1033 0 : "SAMLSP updateNotification: Core 2: Logout message received for , DHT delete returned 0" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-0 : AAATM Message 3313 0 : "SAMLSP dht-free: Core 0: freeing entry for _4f91c30925c5a15d21ed176a44690ec3" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-0 : AAATM Message 3314 0 : "SAMLSP updateNotification: Core 0: Logout message received for , DHT delete returned 0" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-1 : SSLVPN Message 938 0 : "SSID 3a remove session PE : 1, owner : 0, ref : 0, exp : 0" Jan 13 23:22:25 <local0.debug> 10.217.28.160 01/13/2015:23:22:25 GMT 0-PPE-1 : SSLVPN Message 939 0 : "removing session 58"