Forum Discussion

AndOs's avatar
AndOs
Icon for Cirrostratus rankCirrostratus
Dec 09, 2012

Redirect loop on APM logon page

Hi!

 

 

I'm getting a strange behavior with the default APM logon pages after making a configuration for exchange 2010 with the latest iApp (2012-06-08).

 

 

The thing I'm seeing is that users that does not complete the logon process get a redirect-loop on the APM logon page after their session has timed out.

 

I made a packet capture of this and I suspect that when the message "session expired/timeout" is displayed the small image, next to the link, actually refreshes the session.

 

 

Example scenario:

 

User connects to mail.company.com to logon to OWA.

 

APM creates a session. (visible under Access Policy / Manage Sessions)

 

Session start time is 12:00:00, expiration is 12:05:00

 

The user doesn't logon, and after 5 min the "session expired/timeout" message appears with a link to start a new session.

 

Looking in Access Policy / Manage Sessions the session expiration is now 12:10:00

 

User clicks the link and the browser hangs (Chrome displays a warning that a redirect loop has occurred).

 

 

 

Example of the loop:

 

 

Client:

 

GET /owa/ HTTP/1.1\r\n

 

Referer: https://mail.company.com/my.policy\r\n

 

Accept-Language: sv\r\n

 

Accept-Encoding: gzip, deflate\r\n

 

Host: mail.company.com\r\n

 

Connection: Keep-Alive\r\n

 

Cookie: LastMRH_Session=8349644d; MRHSession=13626a47c33834faf76e4c078349644d; TIN=0\r\n

 

 

Big-ip:

 

HTTP/1.0 302 Found\r\n

 

Server: BIG-IP\r\n

 

Connection: Close\r\n

 

Content-Length: 0\r\n

 

Location: /owa/\r\n

 

Set-Cookie: LastMRH_Session=8349644d;path=/;secure\r\n

 

Set-Cookie: MRHSession=13626a47c33834faf76e4c078349644d;path=/;secure\r\n

 

\r\n

 

 

 

 

Just to test, I changed the session timeout message and removed the image, and the redirect loop went away!

 

 

Has anyone else seen this?

 

We're running 11.2.1

 

Is this a bug, or have we made some mistake in our configuration?

 

Haven't tested with a plain vanilla access policy without using the exchange iApp.

 

 

We can live with not having image present, but the behavior is a bit weird :)

 

 

 

Best regards

 

Andreas

 

5 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    hi Andreas, that sounds like a possible bug with your version of BIG-IP. Did you perform all the post-configuration steps in the deployment guide?

     

     

    I tested it today with version 11.3 and don't have the same issue; in my case the original session is deleted and a new one is started when you click the link (that's the expected behavior). I recommend opening a case with F5 support on this one.

     

    thanks

     

    Mike
  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus
    Thanks for replying.

     

     

    If I remember correct there weren't many (if any) configuration changes we had to make after running the iApp. We have a pretty basic implementation of exchange 2010.

     

     

    Today I made a deployment for Citrix XenApp using the latest iApp, and also made a configration for OWA 2003 iwth APM.

     

    Both these show the same behavior of falling into a redirect-loop when the session times out on the logon page.

     

     

    I'll make a support case to F5 and see what they have to say.

     

     

    /Andreas
  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus

    I found that the loop also appeared in manually created configs by assigning a very simple access profile to any virtual server. So it wasn't just happening to configurations created by the exchange iApp.

     

     

    Downgraded to 11.2.0 Final, build 2446, loaded default configuration and re-made the basic setup of our boxes, and the loops disappeared.

     

    Loaded default config again and upgraded to 11.2.0 HF3, and the loops came back.

     

     

    At this time, support came back with an answer that this problem was due to a known issue, so I never tried 11.2.0 HF1 or 2.

     

    Didn't get any details about the issue, but they supplied us with a workaround which meant reassigning session.server.landinguri to a dummy URI before all logon pages, and directly after the logon page, assigning landinguri the original value.

     

     

    Our access profiles now looks like the attached image.

     

     

    The first variable assign ("fix landing") contains

     

    session.server.templandinguri = mcget {session.server.landinguri}

     

    session.server.landinguri = return { "/dummyuri" }

     

     

    The second one ("fix landing(1)) contains

     

    session.server.landinguri = mcget {session.server.templandinguri}

     

     

    After that, no more loops.

     

     

     

     

    /Andreas

     

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    There have been a very large number of improvements / fixes in the iapp for Exchange OWA and associated functions in APM.

     

    Please retry with the latest iapp/version, and open a support case if you see strange behavior. Be sure to include:

     

    1- httpwatch recording of the browser

     

    2- APM logs in debug-level with an example session ID.

     

    3- qkview

     

    4- exact steps taken in the reproduction case from the time that you open up the browser until the troublesome behavior occurs.