Forum Discussion

scorpa_121336's avatar
scorpa_121336
Icon for Nimbostratus rankNimbostratus
Oct 23, 2014

F5 apm ACL ACES bypassed

Hello folks!

 

I'm having strange problem on one of our BigIP with SSL VPN. We are using APM to provide SSL VPN and assign ACL to control user behavior on L4. In access policy we authenticate user against LocalDB or AD auth and then assign full webtop, network access and static ACL. User can connect to VPN, split-tunneling working fine but it seems that ACL is completely bypassed. Doesn't matter if it deny any or permit any it's havent effect at all. No packets logged via ACL. I tried change ACL order, reload BigIP box, restarted apd after acl created, updated to new version but nothing helps.

 

By the way, if user will connect to APM via Browser, and will try to use Portal access he will get - access denied but if from the same browser he will establish network tunnel - acl will not work.

 

Our BigIp is 11.5.1 HF5.

 

Where we should find our problem ?

 

  • It seems like some other VS is catching the traffic instead of internal built-in APM virtual(_tmm_apm_fwd_vip).

     

    Try to do a tcpdump (tcpdump -ns0 -i 0.0:nnn) which can verify this.

     

    I guess you also might see the problem of ACCESS_ACL_ALLOWED event not triggered because of this issue.

     

  • Nope that's not the case with me. When I do full tunnel with a static ACL everything gets blocked. However, I feel that if I break the ACL like

     

    ACL 1 -: Allowed subnets ACL 2-: Deny Any

     

    Probably it might work. I will try and update it over here.

     

    As of now I am trying one ACL with multiple entries and one deny any entry.