Forum Discussion

Adilkhan_174866's avatar
Adilkhan_174866
Icon for Nimbostratus rankNimbostratus
Oct 22, 2014

User Logout request deny???

Hi Guy's,

 

I am trying to get to the bottom of this issue, I am unable to establish connect and comes back with the error below on the f5. Could someone please identify the cause. Thanks

 

2014-10-22 16:36:30 Received User-Agent header: Mozilla%2f4.0%20(compatible%3b%20MSIE%207.0%3b%20Windows%20NT%205.1%3b%20.NET%20CLR%202.0.50727%3b%20.NET%20CLR%203.0.4506.2152%3b%20.NET%20CLR%203.5.30729). 2014-10-22 16:36:30 Received client info - Type: IE Version: 7 Platform: WinXP CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0 2014-10-22 16:36:30 New session from client IP 213...** (ST=West Sussex/CC=GB/C=EU) at VIP 10.132.. Listener /Common/******.app/VS-C2A-GO2-443 (Reputation=Unknown) 2014-10-22 16:36:39 Username 'adil.test' 2014-10-22 16:36:41 Following rule 'fallback' from item 'CEO AD Query' to ending 'Deny' 2014-10-22 16:36:41 Access policy result: Logon_Deny 2014-10-22 16:36:43 \N: Session deleted due to user logout request.

 

4 Replies

  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus

    Looks like you are doing an AD auth or AD query called 'CEO AD Query' for the user 'adil.test', which is not successful and then goes to 'fallback' branch in the APM VPE flow, ending to 'Deny' endpoint. Thus denying the logon and closing/deleting the session.

     

    Your credentials may not be correct or the AAA (AD) server may not be properly configured in BIG-IP Access Policy. Have you set the proper credentials for the AD server in Access Policy AAA config? AD query needs credentials whilst AD Auth may not. These came to my mind first.

     

    You may need to troubleshoot a bit more. If you haven't done yet, you can set the logging level for Access Policy to debug level (System->Logs->Configuration: Access Policy Logging). Try to log in to the virtual server again and then run an Access Policy all sessions report, and there clicking the correct session ID link in the report list, to see the flow in more detail for troubleshooting. The debug level reveals the whole flow in detail. You will also see all relevant APM session variables and their values.

     

  • Thank you Appreciated for your reply, I have sent the relevent details to the correct department to have an visual and come back for findings. In the meantime I'l keep doing some research and start debugging as mentioned. Thank you

     

    Regards Adil

     

  • Hi,

     

    what will be the effect of doing the debug via the gui, as mentioned above? Thanks

     

    Regards Adil

     

  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus

    You will get much, much more information to the session report and will see how the APM flow goes in detail and where it may go wrong. Also you will see all the session variables.

     

    Other impact will be quite a bit more logging into the /var/log/apm -log file as everything APM related will also go there. Depends how much APM related traffic there is. How much traffic/users you have? Anyway for troubleshooting you need more info.. You can and should always turn the debug back to normal after resolving the issue.