Forum Discussion

Damiano_Colla_9's avatar
Damiano_Colla_9
Icon for Nimbostratus rankNimbostratus
May 07, 2015

APM - Network Access issue solved after policy re-apply

Hello All, we registered a weird behavior with an APM (11.4.2 HF7) guest: users can login correctly into logon page and AD Auth is fine. Then users starts networks access clicking on the "na_icon". It worked for few weeks (a couple of months) with more or less 100 ccu. Suddenly na stopped to work and no one can access to vpn. After a restart of the service apmd the users can start na for few minutes (about 15, half an hour) and then the service fails again.

We tried upgrading the APM to 11.5.1 but the issue come up again after few minutes, so we rollback to the 11.4.2 HF7. We set the APM log to debug, test the issue and get the qkview. When the issue arises the only logs you can find are the following (some sensible data has been masqueraded):

Apr 16 09:36:33 slot1/*******-*** notice tmm[25747]: 01490549:5: ea787267: Assigned PPP IPv4: "ip_address" Tunnel Type: VPN_TUNNELTYPE_TLS NA Resource: /Common/"policy_name" - Reconnect
Apr 16 09:36:33 slot1/*******-*** notice tmm[25747]: 01490505:5: ea787267: PPP tunnel 0x570000fdfa00 started.
Apr 16 09:36:34 slot1/*******-*** notice tmm[25747]: 01490505:5: ea787267: PPP tunnel 0x570000fdfa00 closed.

After analyzing the qkview without understanding what the problem was, we re-apply the policy and the vpn started to work fine. It's about 3 weeks that the vpn (network access) are working fine.

I'm wondering if anyone else had a similar issue with na, solving a huge problem just re-applying the policy without making any changes.

Thank you.

BIG-IP Access Policy Manager (APM)
network access
security
TMOS
vpn

5 Replies

Sort By
  • Adriano_Bezerr1's avatar
    Adriano_Bezerr1
    Icon for Cirrus rankCirrus
    Dec 13, 2018

    I´ve the same problem in my environment with APM v12.1.2 HF1, I´ve approximately 1000 VPN clients, with an average 10k reconnections per day of approximately 80% of the clients, we have six operators and the problem occurs in all, thus we discard some problem related to this.

     

    Has anyone found the solution to this?

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Dec 15, 2018

    im afraid that is too little information to work with. contacting F5 support makes the most sense.

     

  • Adriano_Bezerr1's avatar
    Adriano_Bezerr1
    Icon for Cirrus rankCirrus
    Dec 17, 2018

    I´ve an open case on F5 that is under analysis.

     

    However, I was able to replicate the problem in the lab, which occurs only when I disconnect the VPN tunnel through the VPN interface created. When I do using the disconnect Edge Client the logout runs successfully.

     

    The environment has been in production for more than a year and only now has this problem started to occur. As soon as I get a return from F5, I'm posting here to help others who are going through this problem.

     

  • a_basharat's avatar
    a_basharat
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2019

    Is there anyone having issues with this? any workaround? we had few random users having this issue, opened a ticket with F5 and they said it is most likely something on the desktop trying to push the VPN down, but that's a very difficult thing to spot [what thing is pushing down the VPN]

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jul 16, 2019

    the problem is that what you are experiencing is something else then what this thread started about. or are you running version 11.5?

     

    if support can't help then i doubt someone else here can. still you are best of with starting a new question with full details on version / logs / and so on.