LDAP via iAPP timeout problems

Question

Hi,&nbsp;
I set up loadbalancing for LDAP a while ago. I am using the LDAP iAPP on my pair of viprion guests (11.6.0 HF5).&nbsp;
The LDAP guys are now experiencing problems with their LDAP sessions timing out after 300 seconds.
I think I figured out, that the timeout is due to the internal NAT-timeout of the BigIP. The timers are set to indefinite...but the internal max timeout seems to be 300 secs.&nbsp;
In my opinion it has to be a problem with the LDAP configuration. A session that stays up for over 300 secs without sending a single packet does not seem to be a good thing to me. But unfortunately I know only little about LDAP configuration.&nbsp;
So how can I fix the Problem?&nbsp;
Is there any possibility to configure a longer timeout for LDAP on the F5? &nbsp;
Does the LDAP team have to change anything?&nbsp;
Thanks in advance&nbsp;
Regards,&nbsp;
Thorsten&nbsp;

fred_slater_856 · Accepted Answer

The iApp attaches a tcp profile to the ldap virtual, with a default timeout of 300 seconds. It's a good bet that you could solve your problem by extending that. You can customize that tcp profile either by changing the iApp code or by (gulp) turning off strictness and changing the profile directly. The problem with the latter is that it will change back if you ever use the iApp again. Here's how to do things right by modifying the iApp.&nbsp;
Go to the iApp templates menu and click on the f5.ldap iApp.Click the "Copy" button at the bottom of the window, below all of the iApp code.You should see "Copy_of_f5.ldap" in the Template name field. Rename it if you wish.Search the page (cntl-f) for the words "create ltm profile tcp". There are 4 occurrences--2 relevant to the client side and 2 relevant to the server side. The code makes it obvious which is which, even if you don't read Tcl.To set the timeout to 1800 seconds, on the line after each occurrence, before the right square bracket, add the words "idle-timeout 1800".  The first one should look like: default-from tcp-lan-optimized idle-timeout 1800] }SaveNavigate to your deployed iApp and click the Reconfigure tab.Next to the Template field, click "Change" and select the template that you just modified.Click Finished to redeploy the iApp with the new timeout values.

elfasso_137228 · Answer

Hi Fred,&nbsp;
thanks for your answer.
I just used the gulp-method ;) to find out if that's the idle timout that causes my problem. Result: It is. &nbsp;
I did not know until now, that you can easily clone an iAPP and change the parameters that suit your purposes. 
I have a little knowledge about TCL, but the colleague in my team that does all the scripting knows TCL very well.&nbsp;
You helped me a lot.&nbsp;
Thanks,&nbsp;
Thorsten&nbsp;

Forum Discussion

LDAP via iAPP <> timeout problems

2 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

Is there a traceroute equivalent in F5 like the format of ping -I <source ip> <destination ip>

big3d timeouts

Inet port exhaustion on <ip_address> to <ip_address:port> (proto <protocol>) issue

Eventd.xml file changes its enabled value from <enabled>1</enabled> to <enabled>0</enabled>

Tag! <You're It>