Error if I wait 2 min on login page

[Stefano Baronio]

Hi all,

    I just discovered that if I open the AAA login page and wait for about 2 minutes, than the login will fail with something like "call your support".

Error logged in ns.log are:

 "AAATM Login: created session for <stefano.baronio> with cookie: <>"

"Artifact Store: Value absent in local cache"

 "AAATM LOGIN: failed to lookup cgi/tm one time code"

 

And then:

"AAA Client Handler: Found extended error code 1245184

 

The problem happen when logging off the application as well. If I wait a couple of minutes then I can no longer log on and have to re-load the initial page.

Anybody knows a workaround for this?

 

Thanks

Stefano

 

[Rhonda Rowland1709152125]

Check your clock/cookies/timeouts first:

1) check your NetScaler system clock/timezone settings to see if they are not in sync

2) Determine whether the NetScaler is still using version 0 (absolute timestamp) vs version 1 (relative timestamp) cookies and change to version 1.

3) Double check in your AAA session policy or global parameters that you do or don't have a max session or idle session or client idle session timeout set that could be affecting the authentication duration there.

 

If you use AAA for any other application do you see the same behavior (if so, one of the above settings is likely). If it works for some apps and not this one, there might ben issue that is app specific.  You could do a trace in case there is a connection termination happening elsewhere in the communication.

[Stefano Baronio]

Hi Rhonda, 

   thank you for your time. I've checked point 1) and 2) and they are ok.

I couldn't find any timeout setting in AAA global setting and I've checked on Global system settings, HTTP parameters and Change Timeout Values (all 0), but they seems to be ok.

Set the SSL timeout in the Auth vServer properties to 600, but no change.

 

Session cookies are set after authentication, so they shouldn't get involved in this case.

At login prompt, the only cookie set is NSC_TASS. I've noticed that the cookie has the following text in it: <server-url>/&code=40e7fb01526ba8ea. After the authentication the cookie content changes and the "code" part disappear. Any changes it is related with the error "AAATM LOGIN: failed to lookup cgi/tm one time code"?

 

Thank you

Stefano

 

[Rhonda Rowland1709152125]

For AAA, try going to your lb or vpn vserver first and then have it hand off authentication to AAA. You don't often start by hitting the AAA page first (like you would the vpn portal). Off the top of my head, I'm not sure why you are seeing that behavior though.

[Stefano Baronio]

Actually I hit the LB URL, then I'm redirected to the AAA login page. If I wait there for about 2 mins I get the error "Try again or contact your help desk" with the logs above.

I get the same error when logging off the application and wait more than 2 mins on the same login page (I have a redirect policy on the logoff button hit).

 

 

[Joaquin Canovas]

Hello I ge the same issue "If I wait there for about 2 mins I get the error "Try again or contact your help desk" with the logs above.".  

 

Like a poor workaround, I have added a Content Switching policy that publish "OWA & AAA Server" with the expression

HTTP.REQ.HOSTNAME.EQ(" FQDN  OWA  ") && http.req.url.endswith("ico_error.png"). In the action I publish the LB Virtual server that redirect to "https://"FQDN  OWA"/owa

FQDN  OWA: your public FQDN

It is not an elegant solution but in the case of error, the system advice to the user that "try again" and in this case works. 

I will try to find a better solution but  meantime it is better that get the error.

 

[Joaquin Canovas]

One modification:

expression

HTTP.REQ.HOSTNAME.EQ(" FQDN  AAA  ") && http.req.url.endswith("ico_error.png"). In the action I publish the LB Virtual server that redirect to "https://"FQDN  OWA"/owa

FQDN  OWA: your public FQDN