Forum Discussion
Nfordhk_66801
Nimbostratus
NimbostratusAccess Policy Already Being Evaluated - Exchange OWA Service
Hi,
We recently setup APM for our OWA service to the internet. Pretty simple, checks AD group, and SSO to exchange. Works flawlessly except we are seeing abnormal behavior regarding time out and...
This error occurs when the following sequence happens:
- User connects to APM vip.
- APM vip creates session and hands cookie to user in HTTP 302 redirect to "/my.policy". Now the session is started, but not reached the "allow" or "deny" of the policy. So it is "in_progress" state.
- User connects to APM vip a URL *besides "/my.policy" with the cookie from step 2.
- APM sees this "in_progress" session and responds with that error page.
Normally this shouldn't happen, because the user should honor the redirect provided in step 2 and then go visit /my.policy to grab the logon page or whatever other items that the policy has. We do find some cases where the user opens multiple tabs or other behavior that always causes it to happen. For these cases, workaround irules can be used to detect it. Unfortunately the "in progress" error page is NOT included in normal customization (F5 RFE ID 377165), and we cannot handle multiple session creation from a single shared cookie (F5 RFE ID 439965).
This irule can be used to handle the situation for most cases. Note that customization will be required if you want other end-user behavior besides the logout page.
If end user accesses APM, creates a session, then does not complete
the access policy before accessing other URLs besides "/my.policy",
APM will produce a "session evaluation in progress" error.
to reproduce this behavior:
visit APM URL, eg: https://apm.siterequest.com
see logon page
visit APM URL again, eg: https://apm.siterequest.com/foo
now error page is displayed
to use the irule, simply attach it to the APM virtual server
when HTTP_REQUEST {
if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } {
log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI"
HTTP::close
here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over
HTTP::respond 302 Location "/my.logout.php3"
}
}
Nfordhk_66801Nimbostratus
NimbostratusThanks for helping but I'm not sure the behavior is occurring as you describe. I will access the vip, go idle, I can come back to it at another time, refresh my page and get the error. Attempting to access the root url vip produces the error.
I can also access the vip, complete my tasks and exit the tab, then attempt to access the vip at another time from the root url and see the error. The error usually only produces after a significant gap.