Forum Discussion

elfasso_137228's avatar
elfasso_137228
Icon for Nimbostratus rankNimbostratus
Oct 21, 2015

LDAP via iAPP <> timeout problems

Hi,

 

I set up loadbalancing for LDAP a while ago. I am using the LDAP iAPP on my pair of viprion guests (11.6.0 HF5).

 

The LDAP guys are now experiencing problems with their LDAP sessions timing out after 300 seconds. I think I figured out, that the timeout is due to the internal NAT-timeout of the BigIP. The timers are set to indefinite...but the internal max timeout seems to be 300 secs.

 

In my opinion it has to be a problem with the LDAP configuration. A session that stays up for over 300 secs without sending a single packet does not seem to be a good thing to me. But unfortunately I know only little about LDAP configuration.

 

So how can I fix the Problem?

 

Is there any possibility to configure a longer timeout for LDAP on the F5?

 

Does the LDAP team have to change anything?

 

Thanks in advance

 

Regards,

 

Thorsten

 

  • The iApp attaches a tcp profile to the ldap virtual, with a default timeout of 300 seconds. It's a good bet that you could solve your problem by extending that. You can customize that tcp profile either by changing the iApp code or by (gulp) turning off strictness and changing the profile directly. The problem with the latter is that it will change back if you ever use the iApp again. Here's how to do things right by modifying the iApp.

     

    1. Go to the iApp templates menu and click on the f5.ldap iApp.
    2. Click the "Copy" button at the bottom of the window, below all of the iApp code.
    3. You should see "Copy_of_f5.ldap" in the Template name field. Rename it if you wish.
    4. Search the page (cntl-f) for the words "create ltm profile tcp". There are 4 occurrences--2 relevant to the client side and 2 relevant to the server side. The code makes it obvious which is which, even if you don't read Tcl.
    5. To set the timeout to 1800 seconds, on the line after each occurrence, before the right square bracket, add the words "idle-timeout 1800". The first one should look like: default-from tcp-lan-optimized idle-timeout 1800] }
    6. Save
    7. Navigate to your deployed iApp and click the Reconfigure tab.
    8. Next to the Template field, click "Change" and select the template that you just modified.
    9. Click Finished to redeploy the iApp with the new timeout values.
  • Fred_Slater_856's avatar
    Fred_Slater_856
    Historic F5 Account

    The iApp attaches a tcp profile to the ldap virtual, with a default timeout of 300 seconds. It's a good bet that you could solve your problem by extending that. You can customize that tcp profile either by changing the iApp code or by (gulp) turning off strictness and changing the profile directly. The problem with the latter is that it will change back if you ever use the iApp again. Here's how to do things right by modifying the iApp.

     

    1. Go to the iApp templates menu and click on the f5.ldap iApp.
    2. Click the "Copy" button at the bottom of the window, below all of the iApp code.
    3. You should see "Copy_of_f5.ldap" in the Template name field. Rename it if you wish.
    4. Search the page (cntl-f) for the words "create ltm profile tcp". There are 4 occurrences--2 relevant to the client side and 2 relevant to the server side. The code makes it obvious which is which, even if you don't read Tcl.
    5. To set the timeout to 1800 seconds, on the line after each occurrence, before the right square bracket, add the words "idle-timeout 1800". The first one should look like: default-from tcp-lan-optimized idle-timeout 1800] }
    6. Save
    7. Navigate to your deployed iApp and click the Reconfigure tab.
    8. Next to the Template field, click "Change" and select the template that you just modified.
    9. Click Finished to redeploy the iApp with the new timeout values.
  • Hi Fred,

     

    thanks for your answer. I just used the gulp-method ;) to find out if that's the idle timout that causes my problem. Result: It is.

     

    I did not know until now, that you can easily clone an iAPP and change the parameters that suit your purposes. I have a little knowledge about TCL, but the colleague in my team that does all the scripting knows TCL very well.

     

    You helped me a lot.

     

    Thanks,

     

    Thorsten