Last Modified: Dec 18, 2024
Affected Product(s):
BIG-IP Install/Upgrade, TMOS
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1
Fixed In:
17.1.1.2, 16.1.5
Opened: Sep 20, 2023 Severity: 3-Major Related Article:
K000137505
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider". You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive." For example, accessing the policies list from the following location: iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List
GUI pages that use REST API token-based authentication will not load.
If the auth-pam-idle-timeout is other than 1200 list sys httpd auth-pam-idle-timeout sys httpd { auth-pam-idle-timeout 1200 }
Use the following tmsh commands: tmsh modify sys httpd auth-pam-idle-timeout 1200 tmsh save sys config tmsh restart sys service httpd wait for 2 minutes Delete cookies from /var/run/pamcache rm -f /var/run/pamcache/* Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly. for VIPRION tmsh modify sys httpd auth-pam-idle-timeout 1200 tmsh save sys config clsh tmsh restart sys service httpd wait for 2 minutes Edit csyncd settigs prevent old cookies sync from other blade. clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)" clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf" clsh "bigstart restart csyncd" Delete cookies from /var/run/pamcache clsh rm -f /var/run/pamcache/* Revert csyncd settigs. clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf" clsh "bigstart restart csyncd" Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.
Restjavad layer modified to accommodate idle timeout values other than 1200