Account lock out issue

Question

Hello folks,&nbsp;
I am a newbie and trying to help a user to troubleshoot his lock out issue. The details explanation for this goes ...&nbsp;
We have an ADFS VIP running on port 443 and 49443 set up through iAPP. It has X-forwarded for and insert_x-ms-forwarded-client-IP_NEWLOGIC iRules in place. The issue is a user is getting locked out every 10 minutes and we are trying to trace out the real server on which he is connecting to. The VIP is configured on Automap as a Source Address Translation. The traffic hits the Azure proxy server and then comes to ADFS VIP and then it goes to the real server. Can anyone suggest how can we find which server is serving the request for that particular user? We did try TCPdump and it mentions the connection from the floater IP to the real server but, then how can we find out that particular user's traffic? Any input will be appreciated.&nbsp;
TIA..&nbsp;

rafaelbn · Answer

Hello Pihu!
Since you're SNATing, you have to look inside that tcpdump for the x-forward-for with the original client's IP. 
I think Wireshark's filter for this would be something like this (not sure though):
http.x_forwarded_for == 10.0.0.1
Just replace "10.0.0.1" with the client's IP and have a try.
Cheers!

crodriguez · Answer

You can also use various different settings on TCPDUMPm to capture both sides of the flow (in other words, both client-side and server-side). Have you checked out this article here? https://devcentral.f5.com/s/feed/0D51T00006i7iEzSAI

¬†

anju · Answer

Thank you for the input folks. I did try to capture tcpdump end to end but it did not help me either since application data is encrypted and I cannot see client IP address in the X-Forwarded-For HTTP header. What options do I have in this case? Traffic pattern is already mentioned earlier, so there are multiple factors in play that is what I think. And tweaking existing ADFS set up may not be a good option, since it is working for all the other users. Any other input Please???&nbsp;
TIA...&nbsp;

rafaelbn · Answer

Create a secondary pool with only one server on it. Create a secondary VS, with same IP as the original but with the client's IP as it's source. The client will connect and use this new VS and it will only have one pool member on it's pool.&nbsp;
That way you're sure which server the client is connecting to and you can further troubleshoot. &nbsp;
Does this helps?&nbsp;

Forum Discussion

Account lock out issue

Recent Discussions

Http / https health monitor issue

F5-SDK Get GTM Pool Server, Virtual Server, Unused Objects, and JSON Conversion for Data Processing

F5 DNS Generic Host

How do I create a traffic log for two different route domains?

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Create a DevCentral account

Change admin account

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence

Lock and Key - Encrypting EBS Disk Volumes for BIG-IP AWS Deployments

10 Settings to Lock Down your BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS