Forum Discussion
scorpa_121336
Nimbostratus
NimbostratusF5 apm ACL ACES bypassed
Hello folks!
I'm having strange problem on one of our BigIP with SSL VPN. We are using APM to provide SSL VPN and assign ACL to control user behavior on L4. In access policy we authenticate user against LocalDB or AD auth and then assign full webtop, network access and static ACL. User can connect to VPN, split-tunneling working fine but it seems that ACL is completely bypassed. Doesn't matter if it deny any or permit any it's havent effect at all. No packets logged via ACL. I tried change ACL order, reload BigIP box, restarted apd after acl created, updated to new version but nothing helps.
By the way, if user will connect to APM via Browser, and will try to use Portal access he will get - access denied but if from the same browser he will establish network tunnel - acl will not work.
Our BigIp is 11.5.1 HF5.
Where we should find our problem ?
It seems like some other VS is catching the traffic instead of internal built-in APM virtual(_tmm_apm_fwd_vip).
Try to do a tcpdump (tcpdump -ns0 -i 0.0:nnn) which can verify this.
I guess you also might see the problem of ACCESS_ACL_ALLOWED event not triggered because of this issue.
Pratik_125797Nope that's not the case with me. When I do full tunnel with a static ACL everything gets blocked. However, I feel that if I break the ACL like
ACL 1 -: Allowed subnets ACL 2-: Deny Any
Probably it might work. I will try and update it over here.
As of now I am trying one ACL with multiple entries and one deny any entry.