Forum Discussion

Ben_Newport_102's avatar
Ben_Newport_102
Icon for Nimbostratus rankNimbostratus
Mar 10, 2015

F5 APM Frequent Reconnects

We have about 2000 users on our VPN during normal work hours and a subset of those users encounter frequent reconnects to the network access portion of our APM solution. The webtop never logs off and within a minute or two the tunnel will reconnect. Some users have this happen 10-20 times per day. Most user however seem to be connecting just fine. The kicker is non of the users who are having the problem with F5 Network Access have a problem with our older Juniper VPN solution.

 

We are running 11.6.0 with the web components installed as admin to all owned assets. We have started putting the full client install on but still no change. We had DTLS enabled and have due to the recommendation from F5 disabled that. All that did was have more users calling in that their Lync audio calls can be choppy (the reason we enabled DTLS in the first place)

 

Case has been open with F5 for over 2 weeks and very little progress made.

 

I wanted to see if anyone else is experiencing this and if they had any suggestions.

 

3 Replies

  • Unfortunately Edge client frequent reconnects are complex issues to troubleshoot. I suggest to keep working with Support and provide the logs as requested.

     

    On your side you could check if by any chance affected machine have some sort of antivirus or client IDS/IPS system which might attempt some connection/probe/monitoring on the local loopback address.

     

    gianrico

     

  • There have been several issues found and several engineering fixes as well. The most significant one for us was that we couldn't use split tunneling and discovered users connected couldn't reach their local DHCP server once connected to the VPN. Some of the ISPs had the lease time so low (10 mins) that it was causing frequent disconnects. Once the user was disconnected they could renew their lease and the edge client could re-establish the connection. The Hotfix for us allows this traffic now. Another issue we had is with DTLS tunnels that we preferred as users do lync voice and video meetings over VPN. We are experiencing an issue where we are getting fragmentation on the UDP packets and the tunnel becomes unstable (things like outlook won't connect, lync drops, uploads fail to sharepoint) or the tunnel collapses. It never fails back to TLS as DTLS 4433 is reachable. We believe it to be an issue on that particular VPN in that we don't allow ping to the VIP. Without that PMTUD can't be don't to dynamically size the MTU settings to keep fragmentation from happening. Still waiting on this confirmation.