Forum Discussion
NimbostratusiRule How to log Access Policy error messages
We use the BIG-IP (version 11) APM module to provide single sign on for a special web portal. Some of our users report issues with it, especially the error message "Access policy evaluation is already in progress for your current session" while they browsing through the portal. At the moment we do not know why this happens (it seems to be sporadically) and we will analyze it later, but first we want to know, how many users are affected (we can't ask them).
This is why we want to develop an iRule which produce a logging message when the access policy error
Access policy evaluation is already in progress for your current sessionAccess not found page reject messageHow we can realize it? Or is there something other way to log this error message, so we can see, how many users are affected?
We already tried something like this, but it doesn't work unfortunately:
when HTTP_RESPONSE {
if {[HTTP::header Content-Length] > 0}{
Default amount of request payload to collect (in bytes)
set collect_length 3600
Trigger collection of the request payload
HTTP::collect $collect_length
}
}
when HTTP_RESPONSE_DATA {
if { [HTTP::payload] contains "Access policy evaluation is already in progress for your current session" }{
set username (if possible), ip-adress, useragent
set user [ACCESS::session data get "session.logon.last.username"]
set ipadr [IP::addr [IP::client_addr]
set userAgent [HTTP::header "User-Agent"]
output
log local0.info "DEBUG: Access policy evaluation is already in progress -> $ipadr $userAgent"
}
}
- P_K
Altostratus
can you provide your Access Policy screenshot from VPE ??
SilWe could and black something out, but why do you need this informations? How could it help? If we have to add something to our VPE it would be no problem, we could do it.
Lee_SutcliffeNacreous
Is the error logged in /var/log/apm ?
- P_K
This
happens when there is already a session that is trying to become active which means a user is in process authenticating to your whatever authentication you're using through your Access Policy. I would suggest you to check your inactivity timeout (default 15mins) and sometimes it throws above kind of pages, (When users sit idle for 15mins).Access policy evaluation is already in progress for your current sessionDid you try if the issue persist by removing the user session from "Manage Sessions" page.
Note: Do not do this during business hours, users might complain. - Sil
We can't investigate when it's happen because we don't become aware of it. The users report us this issue some hours or a day later. It is not the inactivity timeout we think, the users report it during they click through the portal (with only one browser tab). So they click "here" and "here" and then from one to other second they see this error page. We assume a problem with cookies handling, or with something special like citrix terminal servers, but before we investigate we want to know how many users are affected. If it it only 1 user, it is different failure situation for us than when it is 100. This is why we need log output for the error page/message.
- P_K
I can't think of anything except oneConnect.. Try applying oneConnect profile to your VIP? Hopefully that should fix the issue.
Yann_DesmarestCirrus
Hi,
This message appears when you first start a session without finishing it. Then, the user try to access the same resource on a different landing uri.
You can define an irule that check if there is an existing in progress session, if so, just remove the MRHSession and LastMRH_Session cookies from the request.
Yann
