APM already active session error when changing landing URI
for a customer we setup APM with several landing URI to take different routes through the access policy. but of course the users sometimes make the mistake to enter https://apm.domain.com instead of using the correct landing URI, https://apm.domain.com/uri1. they can't correct this within the same session because then they get the "Access policy evaluation is already in progress for your current session." error screen. only workaround is closing the browser, which is annoying. i tried to solve this on that error screen, but that doesn't appear possible (in 11.2.1 and 11.4.0). so i created this iRule to solve it, perhaps it comes in handy for others. this iRule works in 11.4: when HTTP_REQUEST { set sid [ACCESS::session sid] switch -glob [HTTP::uri] { "/uri1*" - "/uri2*" { if {$sid != ""} { log local0. "request for /uri* and active session, remove session and redirect" ACCESS::session remove HTTP::redirect [HTTP::uri] TCP::close } } default { log local0. "default" do nothing } } } this iRule works in 11.2.1, i needed to add the after 5000 and HTTP::collect as APM doesnt quickly enough kill the session: when HTTP_REQUEST { set sid [ACCESS::session sid] switch -glob [HTTP::uri] { "/uri1*" - "/uri2*" { if {$sid != ""} { log local0. "request for /uri* and active session, remove session and redirect" ACCESS::session remove HTTP::collect after 5000 { HTTP::redirect [HTTP::uri] TCP::close } } } default { log local0. "default" do nothing } } }449Views0likes6Commentscontrolling APM access policy from iRule
im trying to influence the access policy to use a different path through the VPE based on a variable set in an irule with ACCESS::session data set. the VPE has an element with some branch rules and expressions like expr { [mcget {session.tst.choice}] == 1}. it seems you can only successfully use this by setting the variable with ACCESS::session data set during the handling of HTTP_REQUEST on /my.policy (this was enabled with ACCESS::restrict_irule_events disable in CLIENT_ACCEPTED). is that correct or am i missing something?999Views0likes8Commentstable command causing abort of rule event HTTP_REQUEST
Hello everyone, This is my first dig into iRules, and I'm hitting an issue with the table command that is aborting my rule. I'm essentially trying to rate limit requests per URI per ASPNET Session ID. I've been working with the iRule for a couple days, so I know it's not at its best and has excessive logging (for the purposes of figuring this out). I'm testing with a backend server that doesn't use ASP, so I'm setting it statically in the iRule as a failsafe for now. I'm building that up now for testing.. but hit some snags. The main issue is the table command aborting the rule execution. I was originally putting many of the table lookups directly into the if statements, but I was able to resolve an abort earlier in the rule by setting to a variable first. Here are the logs: [admin@LTM1:ModuleNotLicensed:Active:Standalone] ~ tail /var/log/ltm Jun 6 11:07:23 LTM1 info tmm1[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58079->10.202.20.170:80 (listener: /Common/Drupal_HTTP) Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: HTTP_REQUEST Matched Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: No session cookie found. Quitting.. Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Got URI, /drupal/themes/garland/images/bg-content-right.png, making key: session1_/drupal/themes/garland/images/bg-content-right.png Jun 6 11:07:23 LTM1 info tmm[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58080->10.202.20.170:80 (listener: /Common/Drupal_HTTP) Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: HTTP_REQUEST Matched Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: No session cookie found. Quitting.. Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Got URI, /drupal/themes/garland/images/bg-content-right.png, making key: session1_/drupal/themes/garland/images/bg-content-right.png Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Matched second else.. not following conditionals. Jun 6 11:07:23 LTM1 info tmm1[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58081->10.202.20.170:80 (listener: /Common/Drupal_HTTP) ` Here is the rule: `when HTTP_REQUEST { log local0. "iRule_Rate-Limiter: HTTP_REQUEST Matched" set maxReqs 5 set cooldownTimer 30 set sampleTimer 30 set timeout 30 if { [HTTP::cookie exists "ASP.NET_SessionId"] } { set aspid [HTTP::cookie ASP.NET_SessionId] log local0. "iRule_Rate-Limiter: SESSION Cookie present: $aspid" } else { log local0. "iRule_Rate-Limiter: No session cookie found. Quitting.." pool Drupal_Pool event HTTP_REQUEST disable set aspid "session1" } set reqURI [string tolower [HTTP::uri]] set key "$aspid" append key "_$reqURI" log local0. "iRule_Rate-Limiter: Got URI, $reqURI, making key: $key" set onCooldown [table lookup -subtable "Cooldowns" $key] if { $onCooldown != "" } { log local0. "iRule_Rate-Limiter: Key: $key is already on cooldown, sending HTTP:429 status code." HTTP::respond 429 } else { log local0. "iRule_Rate-Limiter: Matched second else.. not following conditionals." set currCount [table add $key 1] if { $currCount == "" } { table set $key 1 $timeout $sampleTimer log local0. "iRule_Rate-Limiter: First attempt for $key, adding to table for tracking." } else { if { ($currCount <= $maxReqs) } { table incr $key 1 incr currCount log local0. "iRule_Rate-Limiter: $key not on timeout, but not first request. Incrementing count to $currCount in session table." } else { HTTP::respond 429 table set -subtable "Cooldowns" $key "yes" $timeout $cooldownTimer log local0. "iRule_Rate-Limiter: $key triggered cooldown with $currCount attempts. Adding to cooldown table." } } } } Note that the rule is aborting at this line of code (line 31): set currCount [table add $key 1] Any help here is greatly appreciated, as I can't find anything outlining why this occurs. It's a small rule, and a simple lookup so I don't see why it would cause the rule to suspend indefinitely. Thanks! Ryan638Views0likes8CommentsKill an APM session after policy completes successfully
Hi, I have a bizarre question How would I be able to kill an APM session a few seconds after the access policy completes? I have a max session timeout of 300 (5min) to allow the user to complete the steps of a policy, which is to allow a SAML IdP Chain to occur. Once that has finished, and the SAML assertion is sent to the SP, I want to end the session rather than waiting for it to timeout. The F5 isn't proxying any applications, it's just helping authenticate. I had a look at session.max_session_timeout, but it appears that can only be modified in the ACCESS_SESSION_STARTED event. I also tried ACCESS::SESSION remove in the ACCESS_ACL_ALLOWED and ACCESS_POLICY_COMPLETED events, but that just ends the session right then and there. Any ideas how it can be done? Regards, SimonSolved671Views0likes1CommentF5 APM Limit max user per session
Currently, F5 running on APM with SSL VPN function. How is it possible if I want to set the max session per user to "1". The Access Profile setting allow me only ... for example scenario of F5 USER A login to PC1 - > Passed USER A login to PC2 - > Passed and terminate the session on PC1 But it's not my desire, I want the scenario like USER A login to PC1 - > Passed USER A login to PC2 - > Cannot Login Are there any solution that can config it, or I have to use iRules to detect it. Thanks280Views0likes1CommentWhat session variables does the citrix login prompt write to
We're using the citrix login prompt APM module in v12. The only setting visible is the Citrix Authentication Type of either domain-only or two-factor. If I use two factor, what session variable does the extra field write into?Solved924Views0likes6CommentsUser ID based pool selection
hi there! I am trying to write one iRule to select the pool based on user ID. For example, when the user tries to login, grab the ID of test1@example.com and send to pool1 and for other user ID test2@example.com send to pool2. Essentially, after successfully logged in have tried to save the user ID in the table. However, the issue is when test1 logs in, test2 cannot login. Not sure what I am doing wrong. Is there any limitation on table? I assumed it should be session based when used from different browsers. Any help on this will be highly appreciated. F5 version: 12.1 Cheers. Best regards Hyder303Views0likes4CommentsSSL Session Timeout Behavior
Quick question. Does SSL Session Cache timeout get renewed with resumed sessions? Or does a session expire at the timeout regardless of resumption? I looked over https://support.f5.com/csp/article/K6767 and https://support.f5.com/csp/article/K14783 but neither definitively state weather the timeout resets after renegotiation or not. Thanks!244Views0likes0CommentsSession Tracking with ASM - Block All Vs Delay Blocking
Hi Guys, I'm just looking to understand exactly the difference between the 'Block All' and 'Delay Blocking' options for session tracking on ASM policy. Both seem to block after a defined threshold is reached and will block for a defined period of time. It looks like the 'Delay Blocking' options is more granular however I expect that there is something significant I am overlooking. Also, the application I wish to use session tracking on does not have a login page. As a result I will be setting the 'Application Username' to 'none'. Will this allow me to still accurately track if an individual is spamming the application? Thank you443Views0likes1Comment