Learn how to troubleshoot issues when using SSH over CyberArk Secure Identity Access (SIA), specifically in environments where you're connecting via VPN.
It's not possible to launch SSH connections while connected to a VPN and using CyberArk SIA for authentication. This issue occurs because the IP address used to perform the MFA challenge is different from the IP address used to launch the SSH session.
To resolve this issue, disable client IP enforcement for MFA caching in the CyberArk SIA settings. This allows the system to rely on other factors than the client IP for MFA session continuity.
Log in to the CyberArk SIA Admin Portal.
Navigate to SIA – Settings – Client IP enforcement for MFA caching
Disable SSH.