Symptoms
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".
You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."
For example, accessing the policies list from the following location:
iApps âºâº Application Services : Applications LX Security âºâº Application Security : Security Policies : Policies List
Impact
GUI pages that use REST API token-based authentication will not load.
Conditions
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
auth-pam-idle-timeout 1200
}
Workaround
Use the following tmsh commands:
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd
wait for 2 minutes
Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*
Users authenticated in the TMUI will log out automatically.
After logging back in, TMUI pages should load properly.
for VIPRION
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
clsh tmsh restart sys service httpd
wait for 2 minutes
Edit csyncd settigs prevent old cookies sync from other blade.
clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Delete cookies from /var/run/pamcache
clsh rm -f /var/run/pamcache/*
Revert csyncd settigs.
clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.
Fix Information
Restjavad layer modified to accommodate idle timeout values other than 1200
Behavior Change
Sys httpd auth-pam-idle-timeout cannot be configured larger than 86400
