Forum Discussion

Pihu_294516's avatar
Pihu_294516
Icon for Altostratus rankAltostratus
Jun 23, 2018

Account lock out issue

Hello folks,

 

I am a newbie and trying to help a user to troubleshoot his lock out issue. The details explanation for this goes ...

 

We have an ADFS VIP running on port 443 and 49443 set up through iAPP. It has X-forwarded for and insert_x-ms-forwarded-client-IP_NEWLOGIC iRules in place. The issue is a user is getting locked out every 10 minutes and we are trying to trace out the real server on which he is connecting to. The VIP is configured on Automap as a Source Address Translation. The traffic hits the Azure proxy server and then comes to ADFS VIP and then it goes to the real server. Can anyone suggest how can we find which server is serving the request for that particular user? We did try TCPdump and it mentions the connection from the floater IP to the real server but, then how can we find out that particular user's traffic? Any input will be appreciated.

 

TIA..

 

4 Replies

  • Hello Pihu!

    Since you're SNATing, you have to look inside that tcpdump for the x-forward-for with the original client's IP.

    I think Wireshark's filter for this would be something like this (not sure though):

    http.x_forwarded_for == 10.0.0.1

    Just replace "10.0.0.1" with the client's IP and have a try.

    Cheers!

  • Anju's avatar
    Anju
    Icon for Altostratus rankAltostratus

    Thank you for the input folks. I did try to capture tcpdump end to end but it did not help me either since application data is encrypted and I cannot see client IP address in the X-Forwarded-For HTTP header. What options do I have in this case? Traffic pattern is already mentioned earlier, so there are multiple factors in play that is what I think. And tweaking existing ADFS set up may not be a good option, since it is working for all the other users. Any other input Please???

     

    TIA...

     

  • Create a secondary pool with only one server on it. Create a secondary VS, with same IP as the original but with the client's IP as it's source. The client will connect and use this new VS and it will only have one pool member on it's pool.

     

    That way you're sure which server the client is connecting to and you can further troubleshoot.

     

    Does this helps?