Forum Discussion

gnspector's avatar
gnspector
Icon for Nimbostratus rankNimbostratus
Mar 14, 2024

F5 APM Network Access route domain -- specific gateway for vpn clients

I have setup a virtual server listening on the wan for vpn requests on port 443.

I have a specific vlan configured for vpn clients 10.12.200.0/23.  I have created a new route domain, and i have added the vlan into the route domain.

 

In the VPE i added route domain and selected the correct one after authentication and before advanced resource assign.

 

I created self ips of 10.12.200.3%200 and 10.12.200.4%200 (floating).  I am able to ping the gateway on the upstream switch 10.12.200.1.

 

If i add a default route 0.0.0.0%200 0.0.0.0 10.12.200.1%200 i cant get to anything on the vpn.  it hits the self ip 10.12.200.3 and stops.  If i turn on proxyarp, i get full connectivity, but the vpn client disconnects almost immediately (usually between 1-10 seconds after connecting) with no log messages other than client request to disconnect vpn session in the windows logs and in the APM it just says session deleted due to user logout request.

 

I deleted the default route and created an l4 forwarding server source 10.12.200.0%200/23 and destination 0.0.0.0%200/0 with source address translation turned off as well as address and port translation turned off and set the pool to the gateway 10.12.200.1%200.  I bound this to the vlan as well as to the connection profile vlan.

This also cannot get past 10.12.200.3.  

 

If i turn on proxy arp, same thing, it works perfectly for a few seconds and then abruptly disconnects.  if i turn off proxy arp but set snat to automap, i can ping everything, but nothing works in browser, rdp, ssh, etc, they all just come back saying connection refused.

I cannot figure out why this is failing to work.  I have seen several articles about this, and I have set this up as others have suggested and have not been able to successfully route via a default route from that vlan once connected to vpn.

 

No RepliesBe the first to reply