F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

REddy's avatar
REddy
Icon for Nimbostratus rankNimbostratus
Jan 26, 2024

F5 APM/SSL VPN/Lease IP's range routing

Hello ,   We have a requirement with the routing based on the lease-ip range for 2 SSL VPN URL's. We have 2 VLANS (External and Internal). External VLAN listens to the traffic from the internet an...
apm.f5
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Jan 29, 2024

When you provision APM, BIG-IP adds two "hidden" virtual servers to handle the APM tunnel traffic so the admin doesn't have to explicitly set it up. To override it, the virtual server that accepts the traffic must be:

1- More specific than the hidden virtual's destination address of 0.0.0.0/0. Alternatively you can use a source address set to the lease pool net of the VPN users. Consult that link for details.

2- Connectivity profile (TMM's virtual PPP access-concentrator interface) is selected in the VLANs selector, or VLAN selector set to All Vlans.

Afterwards, TMM should select this virtual for traffic ingressing from the VPN users.

If you want to direct user traffic to different internal routers, there are a lot of different ways to do it:

  • you can use multiple routing virtuals with multiple connectivity profiles (some users get one, some get another).
  • you can use multiple routing virtuals and give your VPN users different lease pools and use the VS's Source selector so TMM selects these different VSs for different users.
  • you can use an iRule that fires on ACCESS_ACL_ALLOWED and sets nexthop to the desired router based on some APM user session data (AD groups, names, etc).