Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Oct 09, 2013

How to avoid "Access policy evaluation is already in progress"

Hello,

I am using the iRule below to close Outlook Web App 2013 sessions. At the first sight it works correctly and shows the F5 logoff page (/vdesk/hangup.php3).

However, OWA 2013 has a javascript that performs a hidden POST to the server on the onunload event to close the session on the server side. This happens right after the session is closed by the F5 logoff page. So it automatically creates a new APM session and when the user clicks on "Click here to login again" he/she sees the message below coming from APM:

"Access policy evaluation is already in progress"

How can I avoid this message?

I tried to do ACCESS::session remove on in response to this last hidden POST but it didn't help. I also tried to introduce some delay before redirecting the user to the F5 logout page in order to let it perform the last POST but it did not work either.

    when HTTP_REQUEST { 

     Set the uri variable
    set uri [string tolower [HTTP::uri]]

     Check if the user clicked the OWA signout link and redirect to the F5 logout page 
    if { $uri contains "/logoff.owa" || $uri contains "/logoff.aspx" } {

     HTTP::redirect "/vdesk/hangup.php3" 

     }

    }

14 Replies

  • Can you differentiate the hidden JavaScript request from other requests? And validate that this request is ONLY sent at logoff? Without looking at it in detail, wondering if you could just issue an ACCESS::disable command on receipt of this specific request.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    Hi East Coast,

     

    Have you tried using the iRule from page 82 of the deployment guide: http://www.f5.com/pdf/deployment-guides/microsoft-exchange-2010-2013-iapp-dg.pdf

     

    I don't run into this issue when using the iRule from the guide.

     

    thanks

     

    Mike

     

    • Greg_112502's avatar
      Greg_112502
      Icon for Nimbostratus rankNimbostratus
      Which one? The one you have to create, or the ones listed in the "non-default settings/notes" portion?
    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      The one in the "Creating the iRule to terminate inactive APM sessions" section (page 86 of the current guide).
    • Misty_Spillers's avatar
      Misty_Spillers
      Icon for Nimbostratus rankNimbostratus

      Please help. I'm using APM BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1 and iAPP (tried as well)

       

      I login once everything is fine then if I try again I get "Access policy evaluation is already in progress for your current session." Everytime. doesn't matter if I close the browser. The only way around it is in private mode. I have tried everything in this thread and nothing seems to work. I seem to have the rule for "Creating the iRule to terminate inactive APM sessions" on from the iAPP but I still get the error. Anyone know what I am missing?

       

      Thanks,

       

      Misty

       

  • I resolved this issue by applying this iRule included in the deployment guide:

     

    when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False } }

     

    It is on page 59 of the 1.4.0rc1 guide. It is not included in the "Creating the iRule to terminate inactive APM sessions" iRule.

     

    • clarkede's avatar
      clarkede
      Icon for Nimbostratus rankNimbostratus

      Where can I get this "Deployment Guide" you refer to??? As in a specific link or site to get it from. F5 has several login sites, so help as to which one would be great. I tried looking for this several months ago and I gave up.

       

      Thanks in advance!

       

    • clarkede's avatar
      clarkede
      Icon for Nimbostratus rankNimbostratus

      Thanks for the link. I have downloaded the guide, but have a question about implementing the iRule in the guide. I currently have a "when HTTP_REQUEST {..." iRule that checks inbound traffic and redirects to one of two servers based on URI value. I know this is basic since I am new, but do I add a NEW iRule, or just modify the logic of my existing iRule and add this one in to it??? Also, if adding it to my existing iRule, would it matter if it is at the top or should it go in its own loop of some sort.

       

      For discussion purposes, let me simplify my iRule and add the iRule from the manual to see if this makes sense (not sure why formatting isn't working but code starts now:

       

      when HTTP_REQUEST { if { [HTTP::cookie exists "IsClientAppCacheEnabled"] } { HTTP::cookie "IsClientAppCacheEnabled" False }

       

      switch -glob [string tolower [HTTP::uri]] {
      "/login/*" {
          pool private_https_pool
          HTTP::header insert CERT_SUBJECT "[ACCESS::session data get session.ssl.cert.subject]"
      }
      default {
          ACCESS::disable
          pool public_https_pool
      }

      }