Symptoms

When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider". You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive." For example, accessing the policies list from the following location: iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List

Impact

GUI pages that use REST API token-based authentication will not load.

Conditions

If the auth-pam-idle-timeout is other than 1200 list sys httpd auth-pam-idle-timeout sys httpd { auth-pam-idle-timeout 1200 }

Workaround

Use the following tmsh commands: tmsh modify sys httpd auth-pam-idle-timeout 1200 tmsh save sys config tmsh restart sys service httpd wait for 2 minutes Delete cookies from /var/run/pamcache rm -f /var/run/pamcache/* Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly. for VIPRION tmsh modify sys httpd auth-pam-idle-timeout 1200 tmsh save sys config clsh tmsh restart sys service httpd wait for 2 minutes Edit csyncd settigs prevent old cookies sync from other blade. clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S) clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf" clsh "bigstart restart csyncd" Delete cookies from /var/run/pamcache clsh rm -f /var/run/pamcache/* Revert csyncd settigs. clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf"; clsh "bigstart restart csyncd" Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.

Fix Information

Restjavad layer modified to accommodate idle timeout values other than 1200

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips