For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sameh_atef_2110's avatar
sameh_atef_2110
Icon for Cirrus rankCirrus
Nov 20, 2015

Firewall access to be opened for APM to operate

Hi, we have an APM cluster (2 devices in HA). we want to know when user or client is authenticating from external authentication server like AD or RSA or Radius or ACS...., what IP from F5 is communi...
BIG-IP Access Policy Manager (APM)
security
Pieter_Velkene2's avatar
Pieter_Velkene2
Icon for Nimbostratus rankNimbostratus
Jan 20, 2016

Hi, I believe it's a known issue (238556)

 

From https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-12-0-0.html:

 

Other issues

 

AAA types for Securid and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair. You see this when you use RADIUS AAA or RSA AAA in an APM access policy. Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover.