Stefano Baronio Posted January 10, 2020 Share Posted January 10, 2020 Hi all, I just discovered that if I open the AAA login page and wait for about 2 minutes, than the login will fail with something like "call your support". Error logged in ns.log are: "AAATM Login: created session for <stefano.baronio> with cookie: <>" "Artifact Store: Value absent in local cache" "AAATM LOGIN: failed to lookup cgi/tm one time code" And then: "AAA Client Handler: Found extended error code 1245184 The problem happen when logging off the application as well. If I wait a couple of minutes then I can no longer log on and have to re-load the initial page. Anybody knows a workaround for this? Thanks Stefano Link to comment Share on other sites More sharing options...
Rhonda Rowland1709152125 Posted January 10, 2020 Share Posted January 10, 2020 Check your clock/cookies/timeouts first: 1) check your NetScaler system clock/timezone settings to see if they are not in sync 2) Determine whether the NetScaler is still using version 0 (absolute timestamp) vs version 1 (relative timestamp) cookies and change to version 1. 3) Double check in your AAA session policy or global parameters that you do or don't have a max session or idle session or client idle session timeout set that could be affecting the authentication duration there. If you use AAA for any other application do you see the same behavior (if so, one of the above settings is likely). If it works for some apps and not this one, there might ben issue that is app specific. You could do a trace in case there is a connection termination happening elsewhere in the communication. Link to comment Share on other sites More sharing options...
Stefano Baronio Posted January 13, 2020 Author Share Posted January 13, 2020 Hi Rhonda, thank you for your time. I've checked point 1) and 2) and they are ok. I couldn't find any timeout setting in AAA global setting and I've checked on Global system settings, HTTP parameters and Change Timeout Values (all 0), but they seems to be ok. Set the SSL timeout in the Auth vServer properties to 600, but no change. Session cookies are set after authentication, so they shouldn't get involved in this case. At login prompt, the only cookie set is NSC_TASS. I've noticed that the cookie has the following text in it: <server-url>/&code=40e7fb01526ba8ea. After the authentication the cookie content changes and the "code" part disappear. Any changes it is related with the error "AAATM LOGIN: failed to lookup cgi/tm one time code"? Thank you Stefano Link to comment Share on other sites More sharing options...
Rhonda Rowland1709152125 Posted January 13, 2020 Share Posted January 13, 2020 For AAA, try going to your lb or vpn vserver first and then have it hand off authentication to AAA. You don't often start by hitting the AAA page first (like you would the vpn portal). Off the top of my head, I'm not sure why you are seeing that behavior though. Link to comment Share on other sites More sharing options...
Stefano Baronio Posted January 13, 2020 Author Share Posted January 13, 2020 Actually I hit the LB URL, then I'm redirected to the AAA login page. If I wait there for about 2 mins I get the error "Try again or contact your help desk" with the logs above. I get the same error when logging off the application and wait more than 2 mins on the same login page (I have a redirect policy on the logoff button hit). Link to comment Share on other sites More sharing options...
Joaquin Canovas Posted May 26, 2020 Share Posted May 26, 2020 Hello I ge the same issue "If I wait there for about 2 mins I get the error "Try again or contact your help desk" with the logs above.". Like a poor workaround, I have added a Content Switching policy that publish "OWA & AAA Server" with the expression HTTP.REQ.HOSTNAME.EQ(" FQDN OWA ") && http.req.url.endswith("ico_error.png"). In the action I publish the LB Virtual server that redirect to "https://"FQDN OWA"/owa FQDN OWA: your public FQDN It is not an elegant solution but in the case of error, the system advice to the user that "try again" and in this case works. I will try to find a better solution but meantime it is better that get the error. Link to comment Share on other sites More sharing options...
Joaquin Canovas Posted May 26, 2020 Share Posted May 26, 2020 One modification: expression HTTP.REQ.HOSTNAME.EQ(" FQDN AAA ") && http.req.url.endswith("ico_error.png"). In the action I publish the LB Virtual server that redirect to "https://"FQDN OWA"/owa FQDN OWA: your public FQDN 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now