Forum Discussion

Rash_75385's avatar
Rash_75385
Icon for Nimbostratus rankNimbostratus
May 29, 2015

F5 APM (failed to initialize local tunnel server)

Hi,

 

I'm hoping someone can help with a couple of question I have before I turn to support. I've newly deployed an F5 APM and am having a couple of issues:-

 

1). I have a couple of users who get the error "failed to initialize local tunnel server" after successfully logging in using IE or Firefox and trying to launch an RDP resource. Other users on the same OS are fine. Have tried reinstalling all F5 components without success. It seems the tunnelserver.exe process doesn't get launched for some reason. Any idea's on what I can look for?

 

2). When a user first connects and launches a full Network access connection (Full VPN), a windows dialler profile gets built and populated and can be seen in the internet options on a windows machine. Once its built the OS tries to connect through this dialler and it causes some local connection issues until you set/configure the option "Never Use Dialler". Is there any way to stop this behaviour or to turn it off? I gather the dialler that is built is necessary.

 

Thanks

 

RK

 

  • RK, have you got a solution to your issue?

     

    I am facing the same issue. Most of the clients are working fine with Windows XP/7/ and Win 8.1. But some users get the "failed to initialize local tunnel server". removing the add-ons or edge client and reinstalling doesn't help.

     

  • Bump, I have one user who started getting "Failed to initialize local Tunnel Server" along with the "Disconnect" error message this week when he tries to use a Network Access resource. Windows 10 updates were installed two days ago and it worked BEFORE this, so I think maybe some Win10 updates are to blame. It's a private Win10 computer with no corporate policies and he uses IE11 and not Edge. He has uninstalled components with F5WinInfo.exe and reinstalled them with BIGIPComponentsInstaller prior to connection.

     

    Connection with BIGIP Edge Client still works, but the user needs more functionality than the Edge Client offers (specifying another Network Profile is troublesome)

     

    BIG-IP APM version: BIG-IP 11.5.3 Build 1.47.167 Engineering Hotfix HF1

     

    The APM log on the BIGIP does NOT show the usual messages from when a user starts a Network Access connection. (the Assigned PPP" etc), this is probably normal since there isn't any tunnel.

     

    • When the user tries to click Show Details, Show Logfile, Export, he gets this error message when trying to save the log file: "C:\Users\Morten\Documents\EdgeClientLog.txt You do not have access to save the file in this location. Contact your administrator for permission. Do you want to save the file in the Documents folder instead"? (my translation from another language) When he tries to save it in Documents or in a newly created C:\temp folder, he gets the exact same message. I had to get screenshots of logterminal.txt, they can be seen in this RTF document. http://carlberner.moonlit.no/temp/feil-apm.rtf (URL corrected)

    I think the relevant log messages are:

     

    \HostCtrl.cpp(800), CHostCtrl::InstallComplete, Installation Complete (error: 0, CLSID:..etc

     

    Starting local TunnelServer

     

    \HostCtrl.h(811), CHostCtrl::onStartTunnelServer, enter

     

    \HostCtrl.h(922), CHostCtrl::OnStartTunnelServer(), EXCEPTION - isReady() COM call failed, -214..etc

     

    \HostCtrl.h(932), EXCEPTION caught

     

  • I've come across this issue in various disguises and had different ways of resolving it. It's a very random issue that seems to only affect certain people for no reason.

     

    Here are the few ways we've come across that work (bearing in mind we're on a corporate network with multiple GPOs or restrictions in place)

     

    1. Rebuild laptop ..... drastic measure but for some installs the laptop work better on a clean laptop than trying to use the debug tool to do a full removal of the plugins.
    2. Change tunnelserver.exe to run in windows 7 compatibility mode (unhide the directory in windows 8 first).
    3. Remove Malwarebytes or other security software except anti-virus. Mayware bytes prevents the tunnel being established.
    4. Full admin uninstall / reinstall by someone with Administrator rights (randomly works !!!).
    5. Making sure any network proxies are allowing both .exe and .cab files through to your browser
    6. Making sure no WAN Accelerators are manipulating the traffic when trying to setup a tunnel (DTLS especially)

    Then after all this ... there's still the odd person we just simply couldn't help :)

     

  • I've a theory that the cause of this is that F5 is not permitted to create the TunnelServer.exe file in the Windows\Downloaded Program Files folder. I had a user on the phone that wasn't able to create even a text file here. This theory would only make sense if creating a tunnel NEVER worked on a specific workstation, so it might not be valid for David.

     

    I'm running 11.5.3 HF1, and I see there are a lot of Win10 bugfixes in HF2. Will try to install this and see if it helps.

     

  • Run a Command Prompt as Administrator and type the following.

    attrib "c:\Windows\Downloaded Program Files" -S

    Voila ... all files visible 🙂

  • I have seen this issue many times now and in my experience, I have almost always narrowed down the issue to be one of these 4 things blocking the connection:

     

    1. Proxy Server
    2. Network Firewall
    3. Software Firewall
    4. Corrupted Add-ons

    Proxy Server: To check this, Disable any proxy and connect to Internet Directly and then connect to VPN. If the connection works after connecting to Internet directly, then allow the VPN IPs in the proxy server or allow it without requiring any authentication.

     

    Network Firewall: Get the IT team to check if any network firewall is blocking the VPN connection. Firewall logs should show if the VPN connection was blocked. If this is found to be the reason, then add a firewall rule for the VPN IPs

     

    Software Firewall: Windows Firewall or any other Software firewall can also block the VPN. many of the modern Antivirus softwares have inbuilt firewall. Some other software which intercept the network traffic like McAfee Intrusion Prevention can also block the VPN connection. To check this, disable all the software firewalls or any other software which intercepts and affects network traffic and then try. If this turns out to be the issue, then allow your VPN IPs through the software firewall.

     

    Corrupted Add-ons: Sometimes, removing all the F5 components from the machine and then reinstalling them from fresh works. To do this, use the CTU (can be downloaded from APM welcome page). Remove all the components and then install them again.

     

    Hope this helps.

     

    • Ljgp_304673's avatar
      Ljgp_304673
      Icon for Nimbostratus rankNimbostratus

      I had this problem ("failed to initialize local tunnelserver") on an Asus Rog gaming laptop, but was able to solve it by disabling "Asus Rog Gamefirst", a networking module that does traffic shaping. It enables you to give precedence to game related network packets.

       

      So your remark "disable all the software firewalls or any other software which intercepts and affects network traffic and then try" is very usefull. If people experience this problem, besides trying with firewall disabled, they should also check for the presence of any traffic shaping software (Gamefirst, cFos, etc).

       

      By the way, I found the reference to Gamefirst and the tip to disable it on an Asus forum where someone was having other (non vpn related) network issues.

       

  • Wow. Deepak, I almost love you.

     

    Both the computers (with a contractor) with this issue had the problem simply disappear when they removed the checkbox for proxy autoconfig script in IE11 on Win10, so it's all joy here now.

     

    I expect forcing traffic to our APM server to do DIRECT will also solve the problem.

     

    Thank you.

     

  • you're welcome moonlit. Nice to know it was helpful for you. And yes, direct connection to Internet will also solve this issue. In our case, some users couldn't access Internet without going through proxy due to their corporate policies, so had to get them to add our VPN IPs to their allow them without any authentication requirements.