Forum Discussion
NimbostratusiOS edge client not kicking off a VPN for on-demand mode.
Hello all, I'm having trouble getting on-demand VPN to work for iphones/ipads. I have setup the VPN profile and when manually connecting to the profile from my iphone all works fine. Instead of a cert auth on the APM, I am doing a UID check for the mobile device. However a cert is installed on the mobile device in order to enable the on-demand mode.
However I cannot get the on-demand portion to work. I have put relevant domain names in to the "Always Connect" configuration in the edge client. When I browse the domains on safari, the VPN profile does not kick in. For domains directly accessible, the browser loads it. For domains on subnets behind the F5 requests timeout. The APM log shows nothing is happening during the on-demand hostname requests.
Is there some special setting I am missing? Any suggestions are welcome..
Many thanks! Chaminda
9 Replies
Mike_61719Cirrus
Have an example domain?
Starting from iOS7 the Always Connected mode works as Connect If Needed. So, if host name can be resolved without VPN, then VPN won't be established. Even if host is not available directly, but it's name is resolvable then VPN won't be established. Another reason of the fault is the required interaction. Untrusted server certificate, for example. You can set nonexistent domain and try to navigate Safari to it. If VPN is established, then you domains are resolvable directly and nothing to do. It's expected behaviour. If not, then interaction is assumed and you have to figured out the cause of it.
chamindak_11539Thanks Alexey. As per my understanding, the user puts a "if needed" domain in safari, which cannot be resolved. But as the domain is included in the "if needed" list on a VPN profile in the F5 edge client, the edge client should start establishing the VPN process. However I am not seeing any traffic on the APM log at all. All goes well if I manually enable the VPN. What am I missing?- Mike_61719Can you please provide a few sample domains? It would help us provide you with the information needed. Are you noticing any pre-logon checks taking place? Example: If your browser can resolve abc.com, the VPN won't kick in. If your browser cannot resolve abc.com and it's on the list to connect, the VPN will kick in. If your browser cannot resolve abc.com and it's not on the list to connect, the VPN won't kick in. I had some issues before and I think it's a bug with the software, it should always utilize the VPN if it's in the configuration list.
- kunjanIt's not a software bug. iOS7 onwards apple don't support onDemand VPN. It fall backs to 'if Needed'. http://support.apple.com/kb/TS4550
The new method is to use onDemand rules, but have to use MDM or editing of profiles
https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html//apple_ref/doc/uid/TP40010206-CH1-SW27
kunjan_118660Cumulonimbus
As Alexey suggested, have you verified the cert? Is it trusted?
You can connect the iPhone to a computer iPCU, and check the console logs for further troubleshooting.
- chamindak_11539Thanks for the comment guys, having to put this on the back burner for a bit. The cert is not trusted (self signed), but I'm not really looking for a cert match, rather hoping to use a MAC address match to the MDM. When I get a bit more time I will proceed with Kunjun's troubleshooting advise
- kunjan
As Alexey suggested, have you verified the cert? Is it trusted?
You can connect the iPhone to a computer iPCU, and check the console logs for further troubleshooting.
- chamindak_11539Thanks for the comment guys, having to put this on the back burner for a bit. The cert is not trusted (self signed), but I'm not really looking for a cert match, rather hoping to use a MAC address match to the MDM. When I get a bit more time I will proceed with Kunjun's troubleshooting advise
