APM modify VPE flow state

Question

Hello,&nbsp;
Within an APM access policy, if you have a basic logon page followed by an AD query to check if the username exists in a domain. If the result of the username AD Query passes, it then proceeds to AD Auth against domain ONE otherwise do an AD Auth against domain TWO&nbsp;
If a user enters an incorrect 'username' that does not match the AD query they enter the "wrong" AD auth state for domain TWO in VPE.&nbsp;
Then if the client corrects the 'username' for domain ONE, is there anyway to re-run the AD query again as there login will always then fail against domain TWO ?&nbsp;
.. or is starting a whole new session the only way to restart the VPE state ?&nbsp;
.. or is there someway to run an AD Query and/or AD Auth from within an iRule&nbsp;
Thanks for any hints.&nbsp;

seth_cooper · Answer

Hi,&nbsp;
You should be able to have the "Logon Page" and "AD Query" in a Macro and let it loop. So the workflow would be they login, hit AD Query, if name doesn't match one of the two domains then they loop back to the login page to correct the userid. You can have them loop "x" amount of times and then if it still fails then send them to a "Deny" ending.&nbsp;
Seth&nbsp;

martin_robbins · Answer

Hi,&nbsp;
Great, thanks for the answer indeed a loop does work but ..&nbsp;
.. is there anyway to add an error into the logon page if the lookups fail ?&nbsp;
I have tried setting the session variable session.logon.page.errorcode but nothing is displayed.&nbsp;
Any ideas ?&nbsp;
thanks&nbsp;

martin_robbins · Answer

Hi,&nbsp;
That's great thanks very much for your help !!!&nbsp;
Final question, do you know if within the Macro loop whether there is a counter ?&nbsp;
regards&nbsp;

seth_cooper · Answer

You can configured the Maximum Macro Loop Count in the settings for the Macro. I don't see a session variable that is available out of the box that tracks how many times the loop has happened. You could always set your own counter if needed.&nbsp;
What is your reason for the counter? Are you wanting to display or log the count?&nbsp;
Seth&nbsp;

martin_robbins · Answer

Actually I wanted to change the number of retries on one of the AD's but I created a custom variable assigment on entry to the macro and incremented it.&nbsp;
&nbsp;&nbsp;
"Loop Count Inc"&nbsp;
session.custom.auth.loop.count =  expr { [mcget {session.custom.auth.loop.count}] + 1 }&nbsp;
&nbsp;
Thanks again.&nbsp;

Forum Discussion

APM modify VPE flow state

5 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

OWA File Upload URIs for WAF Bypass

F5 AWAF/ASM learning only from Trusted traffic?

irule execution error

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

The State Of HTTP/2 With F5 LTM

Delivering Secure Application Services Anywhere with Nutanix Flow and F5 Distributed Cloud

Simplifying and Securing Network Segmentation with F5 Distributed Cloud and Nutanix Flow

TLS Stateful vs Stateless Session Resumption

The State of Post-Quantum Crypto (PQC) on the Web

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS