For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GramofSalt_8283's avatar
GramofSalt_8283
Icon for Nimbostratus rankNimbostratus
Feb 08, 2014

APM Hudfilter Error - When using F5 SSL Connection with a specific application

Weird error when using a particular application through the F5 SSL VPN tunnel. Steps below Product: LTM+APM-VE or 4200V Version: 11.4.1HF2

 

1.) Login fine and get presented with all my icons, including the portal resources and the SSL VPN connection Icon. 2.) Launch SSL VPN connection fine. 3.) So I have an SSL connection to all my internal network resoureces, DNS, RDP, etc. 4.) Launch a local application on my laptop called 'iSite Radiology' It's a full client that makes a connection on port tcp 6464 and references 'http://172.27.28.100/iSuite', which is internal to the network and completely pingable through the SSL VPN connection. 5.) Upon launching the application mentioned above, the app fails to find the server and the follow error message is triggered in the F5 'APM' log.

 

Feb 8 12:56:33 kh-l1-dmz err tmm2[9178]: 01490514:3: 00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_enforce_acl, Line: 8266 Feb 8 12:56:33 kh-l1-dmz err tmm2[9178]: 01490514:3: 00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 1892

 

7.) Now if I go into the VPE and remove any of the 'portal' assigned resources from the Policy so that when the user logins into the portal, they do not see the two portal icon resources present but all the other icons are there and the SSL VPN connection icon and when you launch the VPN SSL connection, it connects. 8.) Now launch the 'iSite Radiology' local application on the laptop and the connects to the server resource fine each time and functions correctly.

 

9.) so the only fix I can find is removing the portal resources(which I still need, one is for OWA and the other is for thie Perinatal app). So I'd think the error message that is thrown in the APM log have something to do with the Portal app configurations. Like a ACL or other issue.

 

Any ideas on what might be causing this would be very helpful.

 

BIG-IP Access Policy Manager (APM)
security

1 Reply

  • GramofSalt_8283's avatar
    GramofSalt_8283
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2014

    Ok an update on this issue as I've been continuing to work with this issue. I've discovered that the two portal configurations that are published in my APM portal along with the SSL-VPN icons and proxy published apps are conflicting. It appears that the two portal configurations created portal ACL's that are at the top of the order list. If I create a manual ACL for the SSL-VPN connection profile and place it at the top of the ACL order, the SSL VPN connection will connect and the 'iSite Radiology' application will launch correctly. However the two portal applications 'owa' and 'centrify perenatal' will not perform SSO and auto-loggin. If I move the two portal apps ACLs to the top of the ACL list, the SSL-VPN connects but the 'iSite Radiology' app will fail but the two portal apps will work and SSO works correctly as well. So it seems to be an access issue conflict. Are there some other ways to track and log why this is happening?