Session timeout immediately on OneFS version 9.5.0.3

[sp2137719]

After upgrading Isilon to version 9.5.0.3. New-IsiSession establish a connection with the cluster and close the session immediately.

PS C:> New-isiSession -ComputerName isi-cluster.domain.local -Credential $cred ; Get-isiSmbShares Send-isiAPI : Session timeout for isi-cluster.domain.local! At C:\Program Files\WindowsPowerShell\Modules\IsilonPlatform\Functions\IsilonPlatformGet.ps1:14248 char:17

• ... ISIObject = Send-isiAPI -Method GET -Resource ("/platform/1/protocols ...

• 
  + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Send-isiAPI

[sp2137719]

I found a workaround/solution to the problem. the session timeout in Isilon-POSH is set to the the same value as "timeout_inactive" which used to be 15 min., in OneFS 9.5.0.3, that has been change to 0. If you change line 97 in the IsiloPlatform.psm1 to this, the code works again: $script:isi_sessions += New-Object -TypeName psObject -Property @{Cluster = $Cluster; url=$baseurl; session= $session; timeout_absolute=(Get-Date).AddSeconds($ISIObject.timeout_absolute); timeout=(Get-Date).AddSeconds(900); timeout_inactive=$ISIObject.timeout_inactive;username=$ISIObject.username}

[dcadint]

I'm having the same problem. I added the suggested code change but it generated a new error. Send-isiAPI : You cannot call a method on a null-valued expression. At C:\Program Files\WindowsPowerShell\Modules\IsilonPlatform\8.0.6\Functions\IsilonPlatformGet.ps1:14248 char:17

• ... ISIObject = Send-isiAPI -Method GET -Resource ("/platform/1/protocols ...

• 
  + CategoryInfo          : InvalidOperation: (:) [Send-isiAPI], RuntimeException
  + FullyQualifiedErrorId : InvokeMethodOnNull,Send-isiAPI
  
  I believe I determined what was causing the above error.  I had to specify the -Cluster {name} on the new-isisession line and then this error was resolved but this resulted in a new error
  Get-isiSmbShares
  Send-isiAPI : The property 'errors' cannot be found on this object. Verify that the property exists.
  At C:\Program Files\WindowsPowerShell\Modules\IsilonPlatform\8.0.6\Functions\IsilonPlatformGet.ps1:14248 char:17

• ... ISIObject = Send-isiAPI -Method GET -Resource ("/platform/1/protocols ...

• 
  + CategoryInfo          : NotSpecified: (:) [Send-isiAPI], PropertyNotFoundException
  + FullyQualifiedErrorId : PropertyNotFoundStrict,Send-isiAPI

[mpeiffer83]

Hi, I was running 9.2* and we just upgraded to 9.5.0.6 and had this same issue. On the Isilon run "isi http settings view" and look at the "Inactive Timeout" setting. After the upgrade ours was set to "Now", which would just disconnect you immediately. We changed this by running "isi http setting modify --inactive-timeout 500". This fixed the problem and this is referenced in the 9.5 release notes:

"Apache changes have been added. The OneFS HTTP data paths and control paths are separated. The two paths use separate ports. Configuration parameters in the isi http settings modify command can set Apache directives that control session timeouts. "

More explanation of this new setting is in the PowerScale OneFS 9.5.0.0 Security Configuration Guide page 38 and the best practice is 500 seconds for a non hardened cluster. I assume the upgrade changed this to "now" unintentionally.

Session timeouts Sessions that are allowed to remain open indefinitely are a security risk. An attacker could use an already authenticated session to access a hosted application. As a protection against this type of attack, OneFS detects HTTP and HTTPS session inactivity and closes inactive sessions using configurable timeouts. Use the isi http settings modify command to configure timeouts. The following table shows the timeout parameters, the corresponding Apache directives that they implement, and their default values.

[sp2137719]

Thanks mpeiffer83, My "solution" was a workaround, modifying inactive-timeout solved the problem.