[APM] - Error: failed to reset strict operations; disconnecting from mcpd
Hello Experts , When we try to verify the sys config with the command "load sys config verify" , we are getting beow error message followed with the services restart ...Bug ID 997793 (f5.com) , We tried to remove the old epsec-package file and restarted , but no luck . Can anyone please advise on this ? Validating configuration... /config/bigip_base.conf /config/bigip_user.conf /config/bigip.conf /config/bigip_script.conf Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command. The connection to mcpd has been lost, try again.5Views0likes1CommentWhat is the use of epsec-package file in APM ?
Hello Team , What is the use of epsec-package file in APM ? How EPSEC works in APM ? apm epsec epsec-package epsec-1.0.0-1622.0.iso { create-time 2024-09-19:12:50:37 last-update-time 2024-03-21:11:07:38 mode 33188 oesis-version 4.3.3969.0 revision 1 size 301641728 system-package true updated-by root version 1.0.0-1622.0 }12Views0likes1Commentuser alert on apm logs
I try to trigger a command when a specific log is written on /var/log/apm It works on 2 different non prod big-ip, but on a third one in production it only works with /var/log/ltm logs. user_alert.conf "failed" is commun in my ltm logs. "New session" is commun in apm logs. So this works (triggered from ltm logs): alert test "failed" { exec command="logger -p local0.notice 'test'" } This doesn't (not triggered from apm logs): alert test "New session" { exec command="logger -p local0.notice 'test'" } Do you have any idea why?25Views0likes2CommentsAPM : is VMware Workspace One supported as an Endpoint Management System?
Hello, In the past, we added our on-premises Airwatch server in the Endpoint Management Systems list. We used this feature to check if the smartphones connecting to the VPN were properly enrolled. We used this feature only for a few users. We migrated to VMware Workspace One in SaaS mode but we forgot about this feature. Is VMware Workspace One supported as an Endpoint Management System? Could F5 APM connect to WSO API? When adding our WSO instance as Airwatch, we got a "General configuration error". Thank you Thomas13Views0likes1CommentYubikey APM and AzureAD question
HEy I'm trying to add the ability to use yubikeys as hardware keys to my Saml/Azureid logins. I saw this doc for how to do it with okta. Application access using YubiKey Authentication with APM and Okta | DevCentral I was wondering if their were similar instructions for Azure AD. It seems like the okta integration relies on okta connecter supporting yubikey in v 16.0. We are currently running 16.1.5, but I don't see something similar in the Azure AD connector. I was wondering how other people have done this? Or if their was something I'm missing? We've been able to add yubikeys to ont eh Azure Ad side, but they never show up when we try to use them as a 2nd factor with The BIG IP Edge client.25Views0likes2CommentsAPM subsession variables disappear before session is terminated
Hi We are currently trying to access APM subsession variables in a Per-Request policy. The subsession variables contains user information gathered when validating users with a OAuth client "branch". We would like to keep the username eg. subsession.oauth.client.last.id_token.preferred_username throughout the entire session. However, after around 15 minutes it disappears but the session remains (this matches the Max subsession life timeout value of 900 seconds). When the subsession expires users are not validated once more as their session is still valid and the subsession variable is now "blank". This makes the session logs "anonymous" after 900 seconds and requires extended log searching to find the user of the session (searching for the session ID and finding the originating username from when the session was established). It seems that it is not possible to persist subsession variables to the main session variables. If I add the OAuth branch in the Per Session policy the variables persists, which I would assume is expected behavior. However, this is not a feasible solution, as we branch HTTP HOST's and validate users with different OAuth Servers (Azure App reg). This is only possible in the Per-Request policy. Any advise would be greatly appreciated :-)Solved22Views0likes2Commentsis it possible to apply SSO when login page and app run on different device?
I was wondering is it possible to apply a SSO when we using webtop login on BIGIP01 and the application on the BIGIP02? I just tried to understand that the APM profile on webtop login is to collect and cache user identity (when using SSO Mapping) and APM profile on the application virtual server is to post the cache that been stored before. is it possible to pass this session on BIGIP01 to BIGIP02 to make sure the SSO working properly?23Views0likes1CommentACCESS::session set variables are displayed as garbled characters
Hi everyone, Use this irules to create a variable for SSO form action, but the variable displayed as garbled characters. when ACCESS_ACL_ALLOWED { ACCESS::session data set session.ha.sso.starturi [HTTP::uri] } APM log, please check the string in RED. Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ssoMethod:|form-based| customLogConfigName:|| usernameSource:|session.sso.token.last.username| passwordSource:|session.sso.token.last.password| startURI:|/*| formAction:|%{session.ha.sso.starturi}| formUsername:|USER_LOGIN| formPassword:|USER_PASSWORD| formParams:|AUTH_FORM Y TYPE AUTH LOGIN_TYPE backurl %{session.ha.sso.starturi}| _successMatchType:|2| _successMatchValue:|BITRIX_AUTH_SUCCEED=Y| pua_auth_name:|| Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_REQUEST Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_REQUEST_DONE Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_SESSION_RESULT Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_SESSION_RESULT Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_SESSION_RESULT Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_SESSION_RESULT Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:httpURI: '^Q«Õ^^±' Sep 5 14:52:04 debug websso.1[22669]: 014d0030:7: /Common/apm_haportal:Common:707251ac: checking start uri match, configured start uri: '/*', request: '/workgroups/group/1580/disk/path/' Sep 5 14:52:04 info websso.1[22669]: 014d0051:6: /Common/apm_haportal:Common:707251ac: start uri match found in configuration '/Common/SSO_bitrix_all' for request '/workgroups/group/1580/disk/path/' Sep 5 14:52:04 info websso.1[22669]: 014d0015:6: /Common/apm_haportal:Common:00000000: Websso form-based authentication for user '' using config '/Common/SSO_bitrix_all' Sep 5 14:52:04 info websso.1[22669]: 014d0067:6: /Common/apm_haportal:Common:00000000: SSO form based post submitted for user '' to URL ^Q«Õ^^± Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc005a80, SERVER: TMEVT_REQUEST Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc005a80, SERVER: TMEVT_RESPONSE Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_RESPONSE Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:ctx: 0x7ffadc013480, CLIENT: TMEVT_RESPONSE_DONE Sep 5 14:52:04 debug websso.1[22669]: 014d0052:7: /Common/apm_haportal:Common:707251ac:_ssoDisabled: false, _needAuth: true16Views0likes1CommentAPM/OAuth2 : auto apply changes made by discovery
Hi, I've setup OAuth2 to Azure EntraID following this documentation. It works well but I'm only facing a serious issue. In the OAuth provider configuration, I've enabled the discovery job to run once per day. This allows the BigIP to fetch any new certificate and/or JWT as provided by the app on EntraID. The problem is that when the certificate or the JWT change, you have to re-apply the per-session policy in order for the change to take effect. And on multiple occasion, the access to our critical applications failed because the changes were'nt applied in a timely manner. Is there a way to automatically apply the changes made by the OAuth discovery job ? Running version : BigIP 17.1.1.157Views0likes7CommentsSSL-VPN external DHCP
Hello, I am wondering if it's possible to configure a DHCP-relay to an external DHCP-server for the SSL-VPN from the APM module. I haven't been able to find any relevant information when searching on the web. Thank you in advance for your help. Best regardsPhilip49Views0likes1Comment