Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Unable to add access policy - getting Your session could not be established.

I have version 11.6.0 build 0.0.401 running in VMware workstation version 12 with a lab license. The other day I added extra VMs and one of them had the same IP address as I was using as the self-ip on the big-ip. I also exceeded the memory of my system. In the boot screen I saw some strange errors that I didn't document but having realised my error I cleared out an old configuration and changed the self ip.

Now I create a new node, pool and vip all simple stuff and I can connect to my backend default website.

Now the problem is when I add an access policy that contains just a message box I get the session error page in the browser.

I am also getting init: Id "co" respawning too fast: disabled for 5 minutes in the VM.

I tried to create a new VM but I am unable to activate the license.

Any help here would be much appreciated.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Andy, you can call F5 support and have the license released from the previous VM's id.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank you. I realised like a good it pro I had a backup of the VM. The restore is fine so no worry on needing to make contact. What I can't figure out at present is I can create a VIP for SSL connection and I can add an APM access policy but if I add the policy to a HTTP non SSL VIP I get the "Your session could not be established. I did change the cookie to HTTP only but it didn't make any difference.

0
Comments on this Answer
Comment made 25-Aug-2016 by Ali Khan 57

what's in the APM logs? Grep sessionref /var/log/apm

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is all there is: [root@bigip:ModuleNotLicensed:Active:Standalone] config # tail -200 /var/log/apm | grep -i 87B33CBB Aug 26 06:09:41 bigip notice tmm[14937]: 01490506:5: 87b33cbb: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f7.0%3b%20rv%3a11.0)%20like%20Gecko. Aug 26 06:09:41 bigip notice tmm[14937]: 01490544:5: 87b33cbb: Received client info - Type: IE Version: 11 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0 Aug 26 06:09:41 bigip notice tmm[14937]: 01490500:5: 87b33cbb: New session from client IP 192.168.213.10 (ST=/CC=/C=) at VIP 192.168.213.26 Listener /Common/VS_BIP_INTRANET (Reputation=Unknown) [root@bigip:ModuleNotLicensed:Active:Standalone] config #

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is what happens when I use the SSL connection with the same access policy. It displays the logon page:

Aug 26 06:17:30 bigip notice tmm1[14937]: 01490506:5: 3bb1c585: Received User-Agent header: Mozilla%2f5.0%20(Windows%20NT%206.1%3b%20WOW64%3b%20Trident%2f7.0%3b%20rv%3a11.0)%20like%20Gecko. Aug 26 06:17:30 bigip notice tmm1[14937]: 01490544:5: 3bb1c585: Received client info - Type: IE Version: 11 Platform: Win7 CPU: WOW64 UI Mode: Full Javascript Support: 1 ActiveX Support: 1 Plugin Support: 0 Aug 26 06:17:30 bigip notice tmm1[14937]: 01490500:5: 3bb1c585: New session from client IP 192.168.213.10 (ST=/CC=/C=) at VIP 192.168.213.28 Listener /Common/VS_BIPWEBSERVER (Reputation=Unknown) Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 660 Msg: //========================================= Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 661 Msg: Request received Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 662 Msg: //----------------------------------------- Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 63 Msg: bytes_received: 237, len: 237 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 87 Msg: first header received: GET /my.policy HTTP/1.1 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 310 Msg: HTTP Method received: GET Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 339 Msg: HTTP URI received: /my.policy Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 384 Msg: HTTP major version received: 1 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpRequestHeader()" line: 385 Msg: HTTP minor version received: 1 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: client-session-id: 644a46926d7cf5289aa0b6bd3bb1c585 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, client-session-id: 644a46926d7cf5289aa0b6bd3bb1c585 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: session-key: 052ba0ccff14fce8e4594e2c3bb1c585 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, session-key: 052ba0ccff14fce8e4594e2c3bb1c585 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: profile-id: /Common/APM_TEST Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, profile-id: /Common/APM_TEST Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: session-id: 3bb1c585 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, session-id: 3bb1c585 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: snapshot-id: 7432fb5e4d_1oooooooooooooooooooo Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, snapshot-id: 7432fb5e4d_1oooooooooooooooooooo Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 94 Msg: generic header received: cmp-pu: 1 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "parseHttpGenericHeader()" line: 432 Msg: Header received, cmp-pu: 1 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: HTTPParser.cpp func: "readFromSocket()" line: 82 Msg: Complete header received: 237 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 678 Msg: Received Session Id: "3bb1c585" Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 680 Msg: Received Profile Id: "/Common/APM_TEST" Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 682 Msg: request-from: "" Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 684 Msg: clientless-mode: "" Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 686 Msg: no-inspection-host-mode: "" Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 688 Msg: Received CMP Process Unit: "1, mc = 0x5b5eff44" Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 690 Msg: start processing of the access policy Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "_initSession()" line: 467 Msg: access policy processing: 0 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 298 Msg: Let's evaluate rules, total number of rules for this action=1 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 304 Msg: Rule to evaluate = "" Aug 26 06:17:30 bigip info apd[10678]: 01490006:6: 3bb1c585: Following rule 'fallback' from item 'Start' to item 'Logon Page' Aug 26 06:17:30 bigip debug apd[10678]: 01490011:7: 3bb1c585: Logon agent: ENTER Function executeInstance Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: modules/LogonPage/SimpleLogonPage/SimpleLogonPageAgent.cpp func: "SimpleLogonPageAgentexecuteInstance()" line: 1134 Msg: SCIM session state variables: Request Type : Request Domain : GroupName : UserName : ClearCache:0 Aug 26 06:17:30 bigip debug apd[10678]: 01490012:7: 3bb1c585: Logon agent: LEAVE Function executeInstance Aug 26 06:17:30 bigip info apd[10678]: 01490004:6: 3bb1c585: Executed agent '/Common/APM_TEST_act_logon_page_ag', return value 3 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "_executeOneAgent()" line: 116 Msg: user input is required Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 737 Msg: processing of access policy is done, result code=fffffff3 Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "writeSessionVarToSessionDb()" line: 1551 Msg: syncing data with MEMCACHED Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 2094 Msg: Converted Var: session.logon.page.customization.group to Session Var tmm.session.3bb1c585.session.logon.page.customization.group Aug 26 06:17:30 bigip info apd[10678]: 01490007:6: 3bb1c585: Session variable 'session.logon.page.customization.group' set to '/Common/APM_TEST_act_logon_page_ag' Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "setSessionInactive()" line: 870 Msg: 3bb1c585: done with request processing Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1689 Msg: send 'redirect to EUIE' code, redirect URL="/agent_logon_page_form.eui?" Aug 26 06:17:30 bigip debug apd[10678]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 767 Msg: ** done with the request processing **

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

By default the APM MRHSession cookie is only allowed over SSL/TLS, which in my opinion is the only secure way to use APM, and not over HTTP. The issue with APM over non-encrypted traffic is a malicious actor can steal your cookie and impersonate your session.

Now, if you absolutely have to use APM over non-encrypted traffic you can disable the Secure cookie option under the SSO/Auth Domains tab (Access Policy -> Access Profiles then SSO/Auth Domains will be on the top menu).

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks, I know about unchecking the secure option but that has made no difference. Now this is where things start to get very odd. I have two VIPs both setup for SSL with client ssl profiles and proper certificates. One works with the access policy I have created and the other gives the error. The access policy is just to display a logon screen as before. I can go through the process of creating a new vip with server certificate and I still get the error. I cannot see anything differences between the vips. I can proceed as is but it would sure be good to find out what is going on here. Cheers.

0
Comments on this Answer
Comment made 26-Aug-2016 by Cody Green

Odd, possible an issue with mcp? try bigstart restart from the CLI and see if it still happens. Any chance you can test this on a stable branch of code like 11.6.1?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have installed 12.1.1 but the problem persists. Now something different is that logging has been changed. In the CLI there are now only 3 options and not 5 for APM. In both the GUI and CLI logs I do not see the SU4==OK for Kerberos delegation.

0