Environment
Novell Access Manager 3.1 Linux Access Gateway
Situation
Access Manager setup and working fine - users can access protected resources after authenticating to the Identity Server. One or two users report 403 errors to the helpdesk trying to access some protected resources. The full error reported is:
"Your session has expired and the post data is lost. Please re-authenticate and re-post the data"
As soon as they restart the browser, the error goes away. It appears that the occurance is more pronounced if the users are away from their machine for a long time and they come back and try and access the protected resource. Troubleshooting also indicated that the error occured when a user was submitting data to the back end Web server through the proxy, and not requesting data from the Web server.
"Your session has expired and the post data is lost. Please re-authenticate and re-post the data"
As soon as they restart the browser, the error goes away. It appears that the occurance is more pronounced if the users are away from their machine for a long time and they come back and try and access the protected resource. Troubleshooting also indicated that the error occured when a user was submitting data to the back end Web server through the proxy, and not requesting data from the Web server.
Resolution
Have user reauthenticate to the protected resource first by requesting data. Once done, have the same user resubmit the data that had triggered the 403 error.
When an incoming request from the browser to the Linux Access Gateway (LAG) takes place and the users session has expired, the LAG must redirect that user to the Identity server to reauthenticate. This is done using the HTTP 302 redirect approach. When the incoming request includes data eg. when a user is POSTing data to the web server, the LAG must save (park) the data until such time as the user has re-authenticated. When the request comes back for the original URL after re-authentication, the LAG automatically retrieves the stored data and sends it to the back end. There is a max limit on how much data we can store during this operation - 64kB. In the above case, the user was sending over 100kB worth of data and we failed.
Engineering working on addressing this with higher limits.
When an incoming request from the browser to the Linux Access Gateway (LAG) takes place and the users session has expired, the LAG must redirect that user to the Identity server to reauthenticate. This is done using the HTTP 302 redirect approach. When the incoming request includes data eg. when a user is POSTing data to the web server, the LAG must save (park) the data until such time as the user has re-authenticated. When the request comes back for the original URL after re-authentication, the LAG automatically retrieves the stored data and sends it to the back end. There is a max limit on how much data we can store during this operation - 64kB. In the above case, the user was sending over 100kB worth of data and we failed.
Engineering working on addressing this with higher limits.
Additional Information
Looking at the ICS_DYN debug output with the /etc/laglogs.conf DEBUG setting at 7 (default 5), we can see that a POST has occured and that the 'content
size is within the read_and_discard limit' message is displayed. This means that the amount of data POSTed by the browser to the Proxy server exceeds an existing limit and the data is dropped. This is the cause of the 403 error.
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: SBResp soapReq:1129 data:0xae8860c0 callAuth ds:0xa4f785a4
May 11 17:32:40 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#1129: backchannel receivedResp (app 0xa4f7dc24 AUTH) (1129)[seg:0xae8860c0:0xa4f777c0:279]
May 11 17:32:40 lag129 : AM#204504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: No status found in the response
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: handleRequestAfterSoapResponseFromESP
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: SBget IAUser_Created alreadySent
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: handleRequest state:3.REDIR_TO_ESP, action = 0
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: REDIRECT_TO_ESP_LOGIN https://lag129.lab.novell.
com:443/nesp/app/plogin?c=secure/name/password/uri&%22https://lag129.lab.novell.com:443/formfill/phpinfo.php%22
May 11 17:32:40 lag129 : AM#504517000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: Parking data, wait for authentication (contentLen 191007) (postDataType 2)
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: POST - content size is within the read_and_discard limit
May 11 17:32:40 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: dataFromBrowser 0 (contLen:191007 remains:191007) thruDS
May 11 17:32:42 lag129 : AM#404513000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#6016: VCC GET /Ex?Version:/cfg/proxy httpcode:0 (timetaken 0 inQ:0 Processing:0)
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: dataFromBrowser 161 (contLen:191007 remains:190846) thruDS
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: dataFromBrowser 10622 (contLen:191007 remains:0) thruDS
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: msgIndex:109 msgCnt:200
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: totalMsgs:200 msg:109:[Your session has expired and the post data is lost. Please re-authenticate and re-post the data]
May 11 17:32:42 lag129 : AM#404520000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#I: AMEVENTID#75286: status:403 /0 clen:14560 cacheH error:109 POST lag129.lab.novell.com /formfill/phpinfo.php BootCampFormfil [147.2.16.154:39850->147.2.16.129:443 - -] [-] [startResp:0 duration:0 orig(con 0 resp 0) retry'0 0' [reqStart:222e2e:0:DS:2:cache:0 0.0 resp:0-0] [rw:0 0-0] [orig: 0 0, 0,0]] srv:0xa4e167d4->0xae54c020/2 type:20600 pr:0xaec23ca0 co:(nil) og:(nil) (null) 0 (~ServerRequest:222e30)0
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: SBResp soapReq:1129 data:0xae8860c0 callAuth ds:0xa4f785a4
May 11 17:32:40 lag129 : AM#504512000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#1129: backchannel receivedResp (app 0xa4f7dc24 AUTH) (1129)[seg:0xae8860c0:0xa4f777c0:279]
May 11 17:32:40 lag129 : AM#204504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: No status found in the response
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: handleRequestAfterSoapResponseFromESP
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: SBget IAUser_Created alreadySent
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: handleRequest state:3.REDIR_TO_ESP, action = 0
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: REDIRECT_TO_ESP_LOGIN https://lag129.lab.novell.
com:443/nesp/app/plogin?c=secure/name/password/uri&%22https://lag129.lab.novell.com:443/formfill/phpinfo.php%22
May 11 17:32:40 lag129 : AM#504517000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: Parking data, wait for authentication (contentLen 191007) (postDataType 2)
May 11 17:32:40 lag129 : AM#504504000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: POST - content size is within the read_and_discard limit
May 11 17:32:40 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: dataFromBrowser 0 (contLen:191007 remains:191007) thruDS
May 11 17:32:42 lag129 : AM#404513000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#6016: VCC GET /Ex?Version:/cfg/proxy httpcode:0 (timetaken 0 inQ:0 Processing:0)
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: dataFromBrowser 161 (contLen:191007 remains:190846) thruDS
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: dataFromBrowser 10622 (contLen:191007 remains:0) thruDS
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: msgIndex:109 msgCnt:200
May 11 17:32:42 lag129 : AM#504503000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#0: AMEVENTID#75286: totalMsgs:200 msg:109:[Your session has expired and the post data is lost. Please re-authenticate and re-post the data]
May 11 17:32:42 lag129 : AM#404520000: AMDEVICEID#ag-7AA324FFCBA4D4ED-0: AMAUTHID#I: AMEVENTID#75286: status:403 /0 clen:14560 cacheH error:109 POST lag129.lab.novell.com /formfill/phpinfo.php BootCampFormfil [147.2.16.154:39850->147.2.16.129:443 - -] [-] [startResp:0 duration:0 orig(con 0 resp 0) retry'0 0' [reqStart:222e2e:0:DS:2:cache:0 0.0 resp:0-0] [rw:0 0-0] [orig: 0 0, 0,0]] srv:0xa4e167d4->0xae54c020/2 type:20600 pr:0xaec23ca0 co:(nil) og:(nil) (null) 0 (~ServerRequest:222e30)0