F5 loadbalancer and session timeout in ASP application
Hello, I have a problem with F5 loadbalancer and session timeout in ASP application. We have F5 in out company for few days Since then, there is a problem with session timeout. ASP app has 30min timeout set but keeps logging of already after few minutes. This phenomenon didn't occur with Windows loadbalancer.2KViews0likes15Commentscontrolling APM access policy from iRule
im trying to influence the access policy to use a different path through the VPE based on a variable set in an irule with ACCESS::session data set. the VPE has an element with some branch rules and expressions like expr { [mcget {session.tst.choice}] == 1}. it seems you can only successfully use this by setting the variable with ACCESS::session data set during the handling of HTTP_REQUEST on /my.policy (this was enabled with ACCESS::restrict_irule_events disable in CLIENT_ACCEPTED). is that correct or am i missing something?999Views0likes8CommentsWhat session variables does the citrix login prompt write to
We're using the citrix login prompt APM module in v12. The only setting visible is the Citrix Authentication Type of either domain-only or two-factor. If I use two factor, what session variable does the extra field write into?Solved913Views0likes6CommentsCan I use the F5 for Rate Limiting?
I had been looking at the Session Tracking in ASM previously hoping that it would be able to perform rate limiting. Unfortunately it seems that in order for any lockout to occur via Session Tracking in ASM, a threshold of policy violations needs to be triggered. This is a great feature however not what I am looking for. In the event that a user is spamming or replaying valid requests back to the application, we would want to lockout that user or at least slow them down. Is there some way that the F5 can be utilised to perform rate limiting from an individual eg. session based etc.Solved799Views0likes1CommentKill an APM session after policy completes successfully
Hi, I have a bizarre question How would I be able to kill an APM session a few seconds after the access policy completes? I have a max session timeout of 300 (5min) to allow the user to complete the steps of a policy, which is to allow a SAML IdP Chain to occur. Once that has finished, and the SAML assertion is sent to the SP, I want to end the session rather than waiting for it to timeout. The F5 isn't proxying any applications, it's just helping authenticate. I had a look at session.max_session_timeout, but it appears that can only be modified in the ACCESS_SESSION_STARTED event. I also tried ACCESS::SESSION remove in the ACCESS_ACL_ALLOWED and ACCESS_POLICY_COMPLETED events, but that just ends the session right then and there. Any ideas how it can be done? Regards, SimonSolved659Views0likes1Commenttable command causing abort of rule event HTTP_REQUEST
Hello everyone, This is my first dig into iRules, and I'm hitting an issue with the table command that is aborting my rule. I'm essentially trying to rate limit requests per URI per ASPNET Session ID. I've been working with the iRule for a couple days, so I know it's not at its best and has excessive logging (for the purposes of figuring this out). I'm testing with a backend server that doesn't use ASP, so I'm setting it statically in the iRule as a failsafe for now. I'm building that up now for testing.. but hit some snags. The main issue is the table command aborting the rule execution. I was originally putting many of the table lookups directly into the if statements, but I was able to resolve an abort earlier in the rule by setting to a variable first. Here are the logs: [admin@LTM1:ModuleNotLicensed:Active:Standalone] ~ tail /var/log/ltm Jun 6 11:07:23 LTM1 info tmm1[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58079->10.202.20.170:80 (listener: /Common/Drupal_HTTP) Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: HTTP_REQUEST Matched Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: No session cookie found. Quitting.. Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Got URI, /drupal/themes/garland/images/bg-content-right.png, making key: session1_/drupal/themes/garland/images/bg-content-right.png Jun 6 11:07:23 LTM1 info tmm[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58080->10.202.20.170:80 (listener: /Common/Drupal_HTTP) Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: HTTP_REQUEST Matched Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: No session cookie found. Quitting.. Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Got URI, /drupal/themes/garland/images/bg-content-right.png, making key: session1_/drupal/themes/garland/images/bg-content-right.png Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Matched second else.. not following conditionals. Jun 6 11:07:23 LTM1 info tmm1[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58081->10.202.20.170:80 (listener: /Common/Drupal_HTTP) ` Here is the rule: `when HTTP_REQUEST { log local0. "iRule_Rate-Limiter: HTTP_REQUEST Matched" set maxReqs 5 set cooldownTimer 30 set sampleTimer 30 set timeout 30 if { [HTTP::cookie exists "ASP.NET_SessionId"] } { set aspid [HTTP::cookie ASP.NET_SessionId] log local0. "iRule_Rate-Limiter: SESSION Cookie present: $aspid" } else { log local0. "iRule_Rate-Limiter: No session cookie found. Quitting.." pool Drupal_Pool event HTTP_REQUEST disable set aspid "session1" } set reqURI [string tolower [HTTP::uri]] set key "$aspid" append key "_$reqURI" log local0. "iRule_Rate-Limiter: Got URI, $reqURI, making key: $key" set onCooldown [table lookup -subtable "Cooldowns" $key] if { $onCooldown != "" } { log local0. "iRule_Rate-Limiter: Key: $key is already on cooldown, sending HTTP:429 status code." HTTP::respond 429 } else { log local0. "iRule_Rate-Limiter: Matched second else.. not following conditionals." set currCount [table add $key 1] if { $currCount == "" } { table set $key 1 $timeout $sampleTimer log local0. "iRule_Rate-Limiter: First attempt for $key, adding to table for tracking." } else { if { ($currCount <= $maxReqs) } { table incr $key 1 incr currCount log local0. "iRule_Rate-Limiter: $key not on timeout, but not first request. Incrementing count to $currCount in session table." } else { HTTP::respond 429 table set -subtable "Cooldowns" $key "yes" $timeout $cooldownTimer log local0. "iRule_Rate-Limiter: $key triggered cooldown with $currCount attempts. Adding to cooldown table." } } } } Note that the rule is aborting at this line of code (line 31): set currCount [table add $key 1] Any help here is greatly appreciated, as I can't find anything outlining why this occurs. It's a small rule, and a simple lookup so I don't see why it would cause the rule to suspend indefinitely. Thanks! Ryan625Views0likes8CommentsAPM already active session error when changing landing URI
for a customer we setup APM with several landing URI to take different routes through the access policy. but of course the users sometimes make the mistake to enter https://apm.domain.com instead of using the correct landing URI, https://apm.domain.com/uri1. they can't correct this within the same session because then they get the "Access policy evaluation is already in progress for your current session." error screen. only workaround is closing the browser, which is annoying. i tried to solve this on that error screen, but that doesn't appear possible (in 11.2.1 and 11.4.0). so i created this iRule to solve it, perhaps it comes in handy for others. this iRule works in 11.4: when HTTP_REQUEST { set sid [ACCESS::session sid] switch -glob [HTTP::uri] { "/uri1*" - "/uri2*" { if {$sid != ""} { log local0. "request for /uri* and active session, remove session and redirect" ACCESS::session remove HTTP::redirect [HTTP::uri] TCP::close } } default { log local0. "default" do nothing } } } this iRule works in 11.2.1, i needed to add the after 5000 and HTTP::collect as APM doesnt quickly enough kill the session: when HTTP_REQUEST { set sid [ACCESS::session sid] switch -glob [HTTP::uri] { "/uri1*" - "/uri2*" { if {$sid != ""} { log local0. "request for /uri* and active session, remove session and redirect" ACCESS::session remove HTTP::collect after 5000 { HTTP::redirect [HTTP::uri] TCP::close } } } default { log local0. "default" do nothing } } }435Views0likes6CommentsSession Tracking with ASM - Block All Vs Delay Blocking
Hi Guys, I'm just looking to understand exactly the difference between the 'Block All' and 'Delay Blocking' options for session tracking on ASM policy. Both seem to block after a defined threshold is reached and will block for a defined period of time. It looks like the 'Delay Blocking' options is more granular however I expect that there is something significant I am overlooking. Also, the application I wish to use session tracking on does not have a login page. As a result I will be setting the 'Application Username' to 'none'. Will this allow me to still accurately track if an individual is spamming the application? Thank you402Views0likes1CommentUser ID based pool selection
hi there! I am trying to write one iRule to select the pool based on user ID. For example, when the user tries to login, grab the ID of test1@example.com and send to pool1 and for other user ID test2@example.com send to pool2. Essentially, after successfully logged in have tried to save the user ID in the table. However, the issue is when test1 logs in, test2 cannot login. Not sure what I am doing wrong. Is there any limitation on table? I assumed it should be session based when used from different browsers. Any help on this will be highly appreciated. F5 version: 12.1 Cheers. Best regards Hyder299Views0likes4Comments