Administrators experience frequent re-authentication prompts after enabling the Bind Admin Session to the Autonomous System Number (ASN) feature. This issue occurs when a Virtual Private Network (VPN) provider assigns an initial ASN, and a proxy agent attempts to assign a different ASN, triggering a roaming session denial. Allow traffic to the Okta domain to prevent the proxy agent from pushing a new ASN and resolve the re-authentication prompts.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Admin Console

When a machine connects to a VPN and runs a proxy agent, the VPN provider initially assigns an ASN. Examples of proxy agents include Netskope or Zscaler; however, these are examples only, and administrators should use a tool that best fits organizational guidelines. The proxy agent then attempts to assign a different ASN. This ASN change causes Okta to prompt for re-authentication.

How is the re-authentication prompt resolved?

Verify the presence of a roaming session in the System Log using a specific search query, and then allow traffic to the Okta domain to stop the proxy agent from pushing a new ASN.

1. Navigate to the System Log in the Okta Admin Console.
2. Enter the following search query to verify if a roaming session denial exists:

eventType eq "security.session.detect_client_roaming" and outcome.result eq "DENY"

3. Allow traffic to *Okta.com within the proxy agent configuration to prevent the proxy agent from pushing the new ASN.

Related References

• Best Practices for Securing Okta Workforce Identity Cloud Admin Accounts
• Roaming Session Detected for User - security.session.detect_client_roaming