Bug ID 1353957: The message "Error getting auth token from login provider" is displayed in the GUI

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1

Fixed In:
17.1.1.2, 16.1.5

Opened: Sep 20, 2023

Severity: 3-Major

Related Article: K000137505

Symptoms

When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider". You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive." For example, accessing the policies list from the following location: iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List

Impact

GUI pages that use REST API token-based authentication will not load.

Conditions

If the auth-pam-idle-timeout is other than 1200 list sys httpd auth-pam-idle-timeout sys httpd { auth-pam-idle-timeout 1200 }

Workaround

Use the following tmsh commands: tmsh modify sys httpd auth-pam-idle-timeout 1200 tmsh save sys config tmsh restart sys service httpd wait for 2 minutes Delete cookies from /var/run/pamcache rm -f /var/run/pamcache/* Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly. for VIPRION tmsh modify sys httpd auth-pam-idle-timeout 1200 tmsh save sys config clsh tmsh restart sys service httpd wait for 2 minutes Edit csyncd settigs prevent old cookies sync from other blade. clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)" clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf" clsh "bigstart restart csyncd" Delete cookies from /var/run/pamcache clsh rm -f /var/run/pamcache/* Revert csyncd settigs. clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf" clsh "bigstart restart csyncd" Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.

Fix Information

Restjavad layer modified to accommodate idle timeout values other than 1200

Behavior Change

Sys httpd auth-pam-idle-timeout cannot be configured larger than 86400

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips