This article explains a possible cause for admins getting frequent re-authentication prompts after enabling the Bind Admin Session to the ASN General Availability (GA) feature.

• Admin Console

If a machine is connected to a VPN and has a Proxy agent installed on it (Netspoke, Zscaler), the VPN provider initially assigns an Autonomous System Number (ASN), and the Proxy agent also tries to assign an ASN, which causes re-authentication due to a change in the ASN.

When ASN Binding is enabled, and the ASN change is present, a Roaming session should appear in the System Logs.

To verify that, the following search query can be used:

eventType eq "security.session.detect_client_roaming" and outcome.result eq "DENY"

To prevent re-authentication, allow traffic to *Okta.com, which will stop the Proxy agent from pushing the new ASN. 

Related References

• Best Practices for Securing Okta Workforce Identity Cloud Admin Accounts 
• Roaming Session Detected for User - security.session.detect_client_roaming