1. Knowledge Base
  2. Windows Logon Manager (WLM)

What is the IP Mismatch/Potential Vulnerability alert in the audit trail?

This log entry can appear when you are using the SurePassID Administration Portal and the IP address changes between requests. This message is to alert you that someone may be trying to be hijack the user's portal session. This can occur in several situations. The most common are:
  1. Logging into the SurePassID Administration Portal from home/remote location and you are logged into your corporate VPN using a split tunnel.
  2. You company is using an outbound proxy that is changing the IP address between requests. 

The remedy is to view the IP addresses in the message and verify they are valid for account. This might require you to open a ticket with your networking team. If IPs are questionable, you can follow these steps:
  1. In the SurePassID portal, review the whitelisted IPs to see if the questionable IP is present. If so, remove it. If you have not configured the IP whitelisted, then you should set that up limiting the IP address to trusted IP ranges & individual IPs.
    1. Be aware that whitelisting IPs is very strict as IPs not on the list or in the range(s) in the list will not be able to communicate with the MFA server functions at all.
  2. Change the user's password.
  3. You can open a ticket with us for advice.