Forum Discussion
Access Policy Already Being Evaluated - Exchange OWA Service
This error occurs when the following sequence happens:
- User connects to APM vip.
- APM vip creates session and hands cookie to user in HTTP 302 redirect to "/my.policy". Now the session is started, but not reached the "allow" or "deny" of the policy. So it is "in_progress" state.
- User connects to APM vip a URL *besides "/my.policy" with the cookie from step 2.
- APM sees this "in_progress" session and responds with that error page.
Normally this shouldn't happen, because the user should honor the redirect provided in step 2 and then go visit /my.policy to grab the logon page or whatever other items that the policy has. We do find some cases where the user opens multiple tabs or other behavior that always causes it to happen. For these cases, workaround irules can be used to detect it. Unfortunately the "in progress" error page is NOT included in normal customization (F5 RFE ID 377165), and we cannot handle multiple session creation from a single shared cookie (F5 RFE ID 439965).
This irule can be used to handle the situation for most cases. Note that customization will be required if you want other end-user behavior besides the logout page.
If end user accesses APM, creates a session, then does not complete
the access policy before accessing other URLs besides "/my.policy",
APM will produce a "session evaluation in progress" error.
to reproduce this behavior:
visit APM URL, eg: https://apm.siterequest.com
see logon page
visit APM URL again, eg: https://apm.siterequest.com/foo
now error page is displayed
to use the irule, simply attach it to the APM virtual server
when HTTP_REQUEST {
if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } {
log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI"
HTTP::close
here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over
HTTP::respond 302 Location "/my.logout.php3"
}
}
- Nfordhk_66801Mar 25, 2016NimbostratusThanks for helping but I'm not sure the behavior is occurring as you describe. I will access the vip, go idle, I can come back to it at another time, refresh my page and get the error. Attempting to access the root url vip produces the error. I can also access the vip, complete my tasks and exit the tab, then attempt to access the vip at another time from the root url and see the error. The error usually only produces after a significant gap.
- Lucas_Thompson_Mar 25, 2016Historic F5 AccountHave you performed any packet captures or traffic analysis to determine the steps your device is taking to get to the result? The "already in progress" error only happens if the session is in that state and something besides "my.policy" is accessed. It could be even that your client device is making requests in the background.
- Misty_SpillersJul 20, 2018Nimbostratus
Hi Lucus, So far I have had the best luck with your iRule on this issue, but for me it doesn't matter is you have tabs open or not. Without your iRule I always get "Access Policy Already Being Evaluated"
However with your iRule, sometime browsers (doesn't seems to matter which) get caught in a loop.
So the first time you go to OWA everything is fine, you can login/logout no issues. Then close your browser, go back the next day and you can see the browser try to go to /OWA and then it send you to the F5 logout page. Click start session, again it tries to go to /OWA and gets redirected to the logout page. This goes on and on and only some weird mix of keep trying and clearing cache seems to break the cycle. Anyone know why? APM is version BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2 iApp is
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com