APM :: Async Error :: Session deleted due to user inactivity
Anybody run into this error before? Been chasing "Session deleted due to user inactivity" when the user swears that it disconnects in the middle of their session while they are actively working. Saw this in the informational logs and wondered if it was related... 2018-03-29 01:29:19 /Common/main:Common:xxxxxxxx: {61b5.C} An exception is thrown: AsyncError:1: SuppliedUnexpectedAny
APM inactivity timeout redirect or notification page for LTM + APM connections
Background on this: Have a customer that is publishing a Microsoft CRM instance behind APM and doing KCD with smart card auth. Access policy works fine, KCD works fine, web app works fine. The only problem we have is the inactivity timeout setting. Once the limit has been reached, the session is removed and content is no longer sent to the user in a very abrupt fashion. This is a problem because ALOT of the page is cached on the clients workstation and all they see is broken JPEGs and incomplete web content. Once they click around they are re authenticated but it is not pretty. I want to find a way to notify the user they have been inactive for a certain amount of time, send a HTTP 200 response with content notifying them with a link to click on to re authenticate. The option of increasing the inactive timeout is not an option due to their access session license limit. There would be alot of abandoned sessions that would aggregate potentially going over this limit. I know with webtop and ssl vpn, you get a notification that you are about to be logged out due to inactivity but this doesn't seem to be available for LTM + APM policies. This is what I have so far, there has to be a more efficient way of doing this though. when ACCESS_SESSION_STARTED { set ::EXPIRE "false" } when ACCESS_SESSION_CLOSED { log local0. "Session has been closed" set ::EXPIRE "true" } when HTTP_RESPONSE { if {$::EXPIRE equals "true"} { HTTP::respond 200 content " You've Been Logged out due to inactivity You have been logged out due to inactivity Thanks for Using the application Click to log back in. " } }
F5 APM VPN TCP session Timeout
There are lot of documents and articles that talk about changing the timeouts for TCP profiles. None of the options appear to apply to tcp sessions that are created inside an SSL VPN terminating on the APM. I have changed the base tcp protocol timeouts to be 3600 seconds on the Access Profile, but, the APM will issue an RST at 300 seconds for any idle tcp sessions created by a remote access user. Access Profile: Profile TCP: The tcp profiles are applied to VIPs. There is a VIP associated with the Access Policy for the VPN, but the issue isn't the VPN itself timeout, but tcp sessions initiated by the user over the VPN or initiated by the server over the VPN once established . I can't see any way to apply a tcp profile to these connections. Can the timeout be changed?
How to refresh configuration changes
Can some tell me, when you make a change to TCP protocol (in my case IDLE TIMEOUT and Keep Alive Interval) when those new values take affect after I click the update button? Is it dynamic and any new connection would then connect with the new rules, or do i need to take the resource out of the pool and then put it back in for the new setting to take affect? I'm trying to adjust settings so long lived connections do not timeout, but I don't seem to see a difference if I increase the idle timeout to one minute longer than the default. This tells me my changes are not taking affect. Currently the defaults are in place (300/1800). I have a client that times out at 5 minutes, which makes sense with the 300 Idle timeout default. But if I change it to 360 it should timeout at 6 minutes. But it stays at 5 minute time out? My F5 Admin, doesn't seem to know the answer to this?!
WebTop inactivity timer based off of webtop link activity?
Hello All, We are working on setting up the WebTop and have configured a few WebTop links on it. Everything seems to work as I would expect except for the inactivity timeout. We have the access profile inactivity timeout set to the 15 minute default (900 Seconds) which works except I would like to figure out a way for that timer to be reset when there is activity on another tab that was launched from the WebTop? The issue is a user will login to the WebTop and access one of the WebTop links. They will be working on that tab for over 15 minutes and then when they switch back to the WebTop tab they need to login again. So is the only answer to extend the inactivity timeout or is there a more clever way to make sure activity from any launched WebTop application will extend the inactivity timer? Thanks for your help. Nolan
