Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule How to log Access Policy error messages

We use the BIG-IP (version 11) APM module to provide single sign on for a special web portal. Some of our users report issues with it, especially the error message "Access policy evaluation is already in progress for your current session" while they browsing through the portal. At the moment we do not know why this happens (it seems to be sporadically) and we will analyze it later, but first we want to know, how many users are affected (we can't ask them).

This is why we want to develop an iRule which produce a logging message when the access policy error Access policy evaluation is already in progress for your current session occurs (named Access not found page reject message in the customization page).

How we can realize it? Or is there something other way to log this error message, so we can see, how many users are affected?

We already tried something like this, but it doesn't work unfortunately:

when HTTP_RESPONSE  {

      if {[HTTP::header Content-Length] > 0}{

         # Default amount of request payload to collect (in bytes)
         set collect_length 3600

         # Trigger collection of the request payload
         HTTP::collect $collect_length
      }
}

when HTTP_RESPONSE_DATA {

    if { [HTTP::payload] contains "Access policy evaluation is already in progress for your current session" }{

        # set username (if possible), ip-adress, useragent
        # set user [ACCESS::session data get "session.logon.last.username"]
        set ipadr  [IP::addr [IP::client_addr] 
        set userAgent [HTTP::header "User-Agent"]

        # output
        log local0.info "DEBUG: Access policy evaluation is already in progress -> $ipadr $userAgent" 
    }
}
0
Rate this Question
Comments on this Question
Comment made 4 months ago by PK 628

can you provide your Access Policy screenshot from VPE ??

0
Comment made 4 months ago by Silvio Mink 3

We could and black something out, but why do you need this informations? How could it help? If we have to add something to our VPE it would be no problem, we could do it.

0
Comment made 4 months ago by PK 628

This Access policy evaluation is already in progress for your current sessionhappens when there is already a session that is trying to become active which means a user is in process authenticating to your whatever authentication you're using through your Access Policy. I would suggest you to check your inactivity timeout (default 15mins) and sometimes it throws above kind of pages, (When users sit idle for 15mins).

Did you try if the issue persist by removing the user session from "Manage Sessions" page.
Note: Do not do this during business hours, users might complain.

0
Comment made 4 months ago by Silvio Mink 3

We can't investigate when it's happen because we don't become aware of it. The users report us this issue some hours or a day later. It is not the inactivity timeout we think, the users report it during they click through the portal (with only one browser tab). So they click "here" and "here" and then from one to other second they see this error page. We assume a problem with cookies handling, or with something special like citrix terminal servers, but before we investigate we want to know how many users are affected. If it it only 1 user, it is different failure situation for us than when it is 100. This is why we need log output for the error page/message.

0
Comment made 4 months ago by PK 628

I can't think of anything except oneConnect.. Try applying oneConnect profile to your VIP? Hopefully that should fix the issue.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is the error logged in /var/log/apm ?

0
Comments on this Answer
Comment made 4 months ago by Silvio Mink 3

We have no messages regarding to this error in our logs, but we only use "Notice" log level. Would it be logged? Which log level do we need?

0
Comment made 4 months ago by MrPlastic 779

Notice is default, so if it's not logging it may be worth trying debug. However be advised this may have a performance impact if left running for long periods.

0
Comment made 4 months ago by Silvio Mink 3

Yes, since it's sporadically we must run this log level over some days, so debug is no really solution for us, unfortunately.

0
Comment made 4 months ago by MrPlastic 779

Are you able to replicate the error or at this stage do you just need to log to determine when the condition is happening?

might be nothing but have you tried changing the first event to 'when HTTP_RESPONSE'

HTTP_RESPONSE_SEND is not a documented event: https://devcentral.f5.com/wiki/iRules.HTTP.ashx

0
Comment made 4 months ago by Silvio Mink 3

We can't replicate the error by our own so far and the users working with the portal are employed in different companies, so we can't ask them too.

Sorry, I have updated my post and changed the event HTTP_RESPONSE_SEND to just HTTP_RESPONSE, the wrong event was my fault because i played around a little bit to try some other possibilities (it's only valid for HTTP_REQUEST: https://devcentral.f5.com/wiki/iRules.HTTP_REQUEST_SEND.ashx).

0
Comment made 3 months ago by MrPlastic 779

I've been having a play around in my lab and I can get a similar error if I bookmark a portal site after logging in and attempt to access that bookmark again after logging out.

Could you try this and see if it's the same error your users are getting?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

This message appears when you first start a session without finishing it. Then, the user try to access the same resource on a different landing uri.

You can define an irule that check if there is an existing in progress session, if so, just remove the MRHSession and LastMRH_Session cookies from the request.

Yann

0