New IAPP5

Are you needing to support multiple View PODS and are using the noted "Advanced Load Management using Dynamic session detection" solution in the DG?"

Yes, I do have a need to support the solution in the DG. Thanks.

With logging enabled in your iRules, would you mind posting the log items seen in your LTM log prior to timing out? Minus any sensitive information,

Greg

Sure no problem. See below.

Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: Client Cookies: com.vmware.vdi.broker.location.id LastMRH_Session JSESSIONID Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: Client JSESSIONID: 78C4689A09B4EB6FBE39F1D11672926D Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: User-Agent Exists, iPad or Full Client coming in Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: Found jsessionid variable: 78C4689A09B4EB6FBE39F1D11672926D Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: There are currently 2 entries in the table. Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: Setting Node Table value to 443 Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: before collect Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: Set content-length to 99 Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: after collect Oct 17 08:21:22 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: In Request data Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: Server responds with JSESSIONID: Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: Content-Length exists and is 530 Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50980 10.10.100.224:443>: At or after Login Request Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : Client Accepted: 10.10.100.144:50982 10.10.100.224:443 Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: new request Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: Client Cookies: Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: Client JSESSIONID: Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: User-Agent Exists, iPad or Full Client coming in Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: Found jsessionid variable: Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: There are currently 2 entries in the table. Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: No table entry found for that jsessionid of Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: before collect Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: Set content-length to 5000 Oct 17 08:21:23 an2 info tmm1[16097]: Rule /Common/view_ssl_auth : <10.10.100.144:50982 10.10.100.224:443>: after collect

What View client is being used and what version?

Also, would you mind adding the following log entry to your view_ssl_auth irule?

Within:

when HTTP_REQUEST_DATA {

after

add

if { $static::ViewSSL_Auth_debug > 1 } { log local0. "<$log_prefix>: Payload equals [HTTP::payload]"}

I am looking to see if your payload is complete and contains "do-submit-authentication". If you want, please post the log after scrubbing the username and password which will be within the log.

thanks, Greg

I'm testing this on both the View Horizon Client, 2.1 for the MAC and 5.4.0 build 1219906 for the PC. I'll do some more testing this afternoon. A grep on "Payload Equals" (redacted)…

Oct 18 07:22:29 an2 info tmm[16097]: Rule /Common/view_ssl_auth : : Payload equals windows-password username User1 domain DOMAIN-NET password Password Oct 18 07:22:30 an2 info tmm[16097]: Rule /Common/view_ssl_auth : : Payload equals

The second one is of course right before things stop working, the rest of the logged conversation including the second entry:

Fri Oct 18 07:22:30 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : Payload equals Fri Oct 18 07:22:30 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : Server responds with JSESSIONID: Fri Oct 18 07:22:30 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : Content-Length exists and is 530 Fri Oct 18 07:22:30 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : At or after Login Request Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : Client Accepted: a.b.c.d:51489 10.10.100.224:443 Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : new request Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : Client Cookies: Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : Client JSESSIONID: Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : User-Agent Exists, iPad or Full Client coming in Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : Found jsessionid variable: Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : There are currently 1 entries in the table. Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : No table entry found for that jsessionid of Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : before collect Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : Set content-length to 5000 Fri Oct 18 07:22:31 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : after collect Fri Oct 18 07:32:52 EDT 2013 info an2 tmm[16097] Rule /Common/view_ssl_auth : : In Request data

Thanks!

Btw, it does look like it just stops communicating. I wonder if it has something to do with adding the length value of 5000. From https://devcentral.f5.com/wiki/iRules.HTTP__collect.ashx "Use caution when specifying a value larger than the size of the actual length. Doing so can stall the connection." Though I understand that not having a content-length could hang the connection as well. Eventually shutting the client down of course issues a new payload:

Oct 18 07:32:52 an2 info tmm[16097]: Rule /Common/view_ssl_auth : : Payload equals 54 M;1;;17;messageType=S:aW5pdA==|;30;type=S:Qw==|v1=I:3|v2=I:1|v3=I:4|cid=S:MTIzNA==|; 3B M;2;;17;messageType=S:c3RvcA==|;17;messageType=S:c3RvcA==|; A D;3;;0;0;;

I am not using the use current user login feature or local mode but I am using Windows7. I've added additional logging to the iRule and the last log entry that I get is at the end of the HTTP_Request right after the collect. The Logon on to desktop selection screen never comes up unless I remove the view_ssl_auth iRule, though I have the PCOIP VS created. RDP doesn't make a difference. It sounds like it worked for you without too many modifications to the iRules beyond the settings in the deployment guide and potentially path to the pools? It works fine without the iRule but I'll step through it again and see if I missed anything.

Within the HTTP_REQUEST_DATA, I would add a log entry right above the regsub expression to see if the [HTTP:payload] contains "do-submit-authentication" is being matched.