Forum Discussion

ac89live's avatar
ac89live
Icon for Altocumulus rankAltocumulus
Aug 28, 2024

F5 APM added network

why does f5 APM adds this network when I use split tunnel 

        128.0.0.0    255.255.252.0         On-link      172.22.101.5      1
        128.0.0.3  255.255.255.255         On-link         128.0.0.3    281

This causes a problem to my local network

my local network is 128.0.0.0

security
  • P_Vergaray's avatar
    P_Vergaray
    Icon for Employee rankEmployee
    Sep 03, 2024

    I've found this, may help you.

    https://my.f5.com/manage/s/article/K000140098

  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    Aug 29, 2024

    The routing that Edge Client (EC) sets is derived from the current routing and whatever the settings are on the client. Windows does have some DNS and proxy idiosyncrasies that necessitate the client to push a "route all traffic over the tunnel" route as 0.0.0.0/1 & 128.0.0.1/1 in some cases, because Windows treats devices with a 0.0.0.0/0 route differently than devices with both 0.0.0.0/1 and 128.0.0.1/1 routes, even though at L3 they're effectively equivalent. You might try to adjust your client PC to a more common "192.168" subnet to see how the behavior changes. 

    You can find in the Edge Client log files very detailed logging about what is the current (before EC does anything) and what is the result (after EC adjusts the routes) that are set. 

    Examine these EC logs closely to see how this compares to your Network Access List settings.

     

    • ac89live's avatar
      ac89live
      Icon for Altocumulus rankAltocumulus
      Aug 30, 2024

      I am familiar with those settings, and this issue does not happen to any other win10 outside my local network.

      This happens only to my local network, and cannot change it now to 192.168. because it is complicated 

      but the question is why the F5 decides to route my local network 128.0.0.0 to its VPN gateway ?

      I contacted TAC and they asked to gather some logs from CTU... but they still investigating this issue

      It worth mentioning that this is issue not not occur if using browser with network connect enabled after the connection established. This issue only happens with BigIP Edge Client.

    • ac89live's avatar
      ac89live
      Icon for Altocumulus rankAltocumulus
      Aug 30, 2024

      Update#2:

      Adding 128.0.0.0 to "IPV4 Exclude Address Space" has resolved the issue.

      But, Why we needed to add this?

      We have not added 128.0.0.0 to "IPV4 LAN Address Space". So why edge client rerouting 128.0.0.0 to tunnel ?

      I asked F5 TAC and waiting for them to answer