How to make a WSS request not restart the session timeout
hi, We have a page that is used to notify the application if the user is in session or not, without interferring with the session timeout itself. This page is accessed by the client automatically every X seconds. This is the code: if {$httpPath == "/pagename"} { if {([HTTP::cookie value MRHSession] != "") && ([ACCESS::session exists -state_allow]) } { HTTP::respond 200 content Yes SomeHeader Yes } else { HTTP::respond 200 content No SomeHeader No } ACCESS::disable return } Now the application team start using some asp.net component called SignalR which uses WSS, let's say the path is /signalr. This path is also accessed automaticaly every X seconds by the client, and thus restarts the session timeout counter and the app never disconnect. I need to do the same intervention like the code above does, only with this /signalr page. Problem is that unlike with the current/pagename path, if I add the /signalr path to the IF, it blocks the request from getting to the app server and breaks the app. Anyone familiar with this component or know why it acts differently? Thanks1.3KViews0likes1CommentTACACS+ Timeout
Hi all, I have been successfully authentication to my F5 estate using TACACS handing off to AD for many years. I have now added another layer by integrated with my MFA platform but cannot figure out how to alter/set timeouts for the MFA authentication. My configuration for TACACS is: auth tacacs system-auth { protocol ip secret xxxxx servers { x.x.x.x y.y.y.y } service ppp } I have set the timeout with: list auth tacacs system-auth timeout auth tacacs system-auth { timeout 15 } When I connect, I am prompted to MFA for both CLI & GUI. However, if I wait for 30 seconds, 1 minute, etc. the MFA session is still waiting & authenticates me when I accept the MFA challenge. Can anyone out there suggest what I'm missing in making the timeout time me out?999Views0likes3CommentsiRule to increase tcp timeout for given client
Hi, I need to increase a tcp timeout value. when a certain client connects to VIP. I did this: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { TCP::idletime 600 } } But it resulted in an error: "increase_idle_timeout:3: error: [undefined procedure: TCP::idletime][TCP::idletime 600]" On the other hand this was accepted: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { IP::idle_timeout 600 } } What is the difference between IP::idle_timeout and TCP::idletime? I'm running 11.5.7Solved899Views0likes1CommentAPM :: Async Error :: Session deleted due to user inactivity
Anybody run into this error before? Been chasing "Session deleted due to user inactivity" when the user swears that it disconnects in the middle of their session while they are actively working. Saw this in the informational logs and wondered if it was related... 2018-03-29 01:29:19 /Common/main:Common:xxxxxxxx: {61b5.C} An exception is thrown: AsyncError:1: SuppliedUnexpectedAny899Views0likes3CommentsInterval and Timeout set to two seconds on HTTP/HTTPS health monitor
Hi all, I currently have a need from upper management to shorten the length of time a user will need to wait if they're connected to our site and tomcat goes down on one of our backend servers that they're connected to. In order to achieve a wait time of no longer than 10 seconds before their web page is loaded on another server in the pool we set the interval and timeout values on the health monitor to 2 seconds each. Originally I had it set to 5 and 16, then 3 and 10, but that wasn't giving us a low enough wait time before a webpage comes back. So, testing our values at 2 and 2 gave us the results we wanted but I want to make sure there are no "gotchas" as far as on the F5. There's no reason why one of our servers wouldn't be able to respond back within 2 seconds and sending that check every 2 seconds isn't a concern as far as network load. The only thing I can think of that might be a concern is the ability of the server to respond to the string below. As far as I know that string is only making sure http and https are responsive, it's not asking for a webpage or something that would take more time/resources. Have any of you had success/issues with setting a monitor interval and timeout to such a low value and what effects did you see? For reference we're running version 12.1.0 and the monitor string is below: GET / HTTPS/1.1\r\nHost: \r\nConnection: Close\r\n\r\n HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n798Views0likes3CommentsOWA Timeout, Redirect to Logon Page, not BIG-IP Logout page, iRule?
Hello Community, I am looking for an iRule or a way to redirect to the Logon Page when a user session timesout, (specifically for OWA) instead of sending them to the BIG-IP logged off page. I know little about writing iRule (working on getting taking the class), I can read and understand the basics but of course that is like any foreign language :-) I have searched around and have not really found anything, any pointers would be greatly appreciated! Thanks in advance! Thanks! DamonSolved628Views0likes4CommentsAPM SSO with Atlassian Jira, Confluence and Sharepoint
Hi, For one of our clients we are trying to realize a single sign on solution on our F5 for Atlassian Jira, Confluence, Stash and Sharepoint. To this end we have created a virtual server with an APM policy of type LTM-APM. All websites are published through one and the same Virtual Server. We filter host-headers (HTTP::host) in order to decide which backend server traffic needs to be forwarded to and use different SSO Configurations for connecting to the backend. In addition we used a community iRule to provide for Sharepoint-office integration SSO (as provided here: https://devcentral.f5.com/codeshare/apm-sharepoint-authentication) with some tweaks. Although SSO works we're still struggling with issues that we've not yet been able to resolve and we think are related to the fact that especially Jira and Confluence are stateful HTML5 applications with ajax. This in combination with the fact that there is no integration between the F5 and the backend webservers. These problems are giving me a headache. I've already searched devcentral but have been unable to find a solution for our problems. Amongst others the following problems are encountered: When a logged on user is inactive for some time he runs into an APM session inactivity timeout (F5 side) and the session is deleted from the session table; This shouldn't be a problem in a normal situation, but the webapplication clientside does not signal the user that the session expired. Now when the user comes back again and clicks somewhere on the webpage 1 of 2 things may happen: a. The user clicks a link which fires a javascript/ajax/restapi-call; this script may perform a call to the backend server, is blocked by the F5 and redirected to a login page in the background. For the user this means an unresponsive webapplication with a doughnut or an error on the screen (without the F5 in between the user would also get an 'error', but with a possibility to copy data that will be lost and a link to the logon page). For the user the webapplication is broken at this point. b. The user clicks a link that will actively fire a redirect to the F5 login page. This is desirable behaviour from our point of view, but... In comes the next issue... After a re-login via APM the user is redirected back to the landing-page that initiated the APM_SESSION_STARTED event. Because the webapplication fires all kinds of requests from the client to the server more often than not this process erroneously redirects the user to some page belonging to the rest api or a javascript on the webserver. When redirected to javascript the user sees javascript, when to the rest api it's even more jibberish. There some other issues too but my post is getting too long i guess so i'll leave them for a different post. We thought of several solutions but up until now none of them really seem to work satisfactory: Javascript injection (something like this: https://devcentral.f5.com/questions/ltm-apm-session-expired-detection) to detect APM session timeout and actively redirect the user. This however would not solve incorrect redirect behaviour mentioned in my second statement; in addition Auto redirect on inactivity would eventually also timeout on the APM loginform after which the original landing page is no longer available; Auto logout on serverside; This is a problem however if user is still working in different browser-tab in another application and the application timing out redirects the user to the logon page, which in turn is being detected by the F5, hereby unintentionally killing the APM session altogether and requiring an 'active' user to re-login and potentially losing work; Redirect to a default page (for the second issue); this solution is not acceptable to our client; Sending heartbeats to always keep the session alive; this would however circumvent active security policies and therefore is not acceptable; Using Client Initiated forms based auth and only enable APM for login pages; this seems to work somewhat (inactivity timeout on the serverside provides for the desired behaviour), however, after the first login APM is never being hit again causing an inactivity timeout in no time. The main goal is to provide a seamless SSO-experience for the users. Any thoughts to resolve these issues would really be appreciated. Thanks, Mark618Views0likes1Commenthow to modify automatic logout about console, WebUI and SSH??
Configuring automatic logout for idle web configuration utility sessions 1) 9.x ? 2) 10.x - 11.x >> sol9908: Configuring an automatic logout for idle sessions Configuring automatic logout for idle SSH connections (command line sessions) 1) 9.x ? 2) 10.x - 11.x >> sol9908: Configuring an automatic logout for idle sessions617Views0likes14CommentsSSL Timeout - Client receives "secure connection failed" - Reason: backend DB answer takes too long?
Hello Folks, hope you can help me out here. From time to time some of our clients (connecting via SSL to a VS) receive an secure connection failed error from the webbrowser. It's a simple web application. The administrator told me that sometimes a database answer takes about 10 seconds because of.. crappy db or whatever. It always happens when a db request /answer takes this long. So i guess this is the root of the problem. Is this a default behaviour that the ssl connection fails or that the browser interpret this like a failure, when no datas flowing for about 10 seconds? I nearly checked every timer in the SSL and TCP profile but without success.. Any ideas?565Views0likes1Comment