Forum Discussion

EvTheFuture's avatar
Feb 28, 2023

Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors

If you (like some of my customers) want to have the BIG-IP Edge Client packaged and distributed as a software package within your corporate infrastructure and therefore have switched off automatic component updates in your connectivity profiles, you might still get the covpn64.sys file upgraded or downgraded to the same version as the one installed on the BIG-IP APM server.


We discovered that on some Windows clients the file covpn64.sys file got a newer/older timestamp in and started to investigate what caused this.

The conclusion was that sometimes after hibernation or sleep, the Edge Client is unable to open the VPN interface and therefore tries to reinstall the driver. However, instead of using a local copy of the CAB file where the covpn64.sys file resides, it downloads it from the APM server regardless of if the version on the server and client match each other or not.

In normal circumstances when you have automatic upgrades on the clients, this might not be a problem, however when you need to have full control on which version is being used on each connected client, this behavior can be a bit of a problem.

Removing the Installer Component?

Now you might be thinking, hey… Why don't you just remove the Component Installer module from the Edge Client and you won't have this issue. Well the simple answer to this is the fact that the Component Installer module is not only used to install/upgrade the client. In fact, it seems like it's also used when performing the Machine Check Info from the Access Policy when authenticating the user. So by removing the Component Installer module result in other issues.

The Solution/workaround

The Solution I came up with is to store each version of the file in an IFile and then use an iRule to deliver the correct version whenever a client tries to fetch the file for reinstallation.

What's needed?

In order to make this work we need to

  • Grab a copy of from each version of the client
  • Create an IFile for each of these versions
  • Install iRule
  • Attach iRule to the Virtual Server that is running the Access Policy

Fetching the file from the apmclients ISOs

For every version of the APM client that is available within your organization a corresponding iFile needs to be created. To create the iFiles automatically you can do the following on the APM server.

  • Login to the CLI console with SSH
  • Make sure you are in bash by typing bash
  • Create temporary directories
mkdir /tmp/apm-urxvpn
mkdir /tmp/apm-iso
  • Run the following (still in bash not TMSH) on the BIG-IP APM server to automatically extract the file from each installed image and save them in the folder /tmp/apm-urxvpn.
for c in /shared/apm/images/apmclients-*
version="$(echo "$c" | awk -F. \
  '{gsub(".*apmclients-","");printf "%04d.%04d.%04d.%04d", $1, $2, $3, $4}')" && \
(mount -o ro $c /tmp/apm-iso
  cp /tmp/apm-iso/sam/www/webtop/public/download/ \
  umount /tmp/apm-iso)
  • Check the files copied
ls -al /tmp/apm-urxvpn
  • Import each file either with tmsh or with GUI. We will cover how to import with tmsh below. If you prefer to do it with the GUI, more information abour how to do it can be found in K13423
  • You can use the following script to automatically import all files
cd /tmp/apm-uxrvpn
for f in URXVPN.CAB-*
  printf "create sys file ifile $f source-path file:$(pwd)/$f\ncreate ltm ifile $f file-name $f\n" | tmsh
  • Save the new configuration
tmsh -c “save sys config”

Time to create the iRule


ACCESS::restrict_irule_events disable

set uri [HTTP::uri]
set ua [HTTP::header "User-Agent"]

if {$uri starts_with "/vdesk" || $uri starts_with "/pre"} {
set version ""
    regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version

     if {$version != ""} {
        table set -subtable vpn_client_ip_to_versions [IP::client_addr] $version 86400 86400
    } else {
        log local0.debug "Unable to parse version from: $ua for IP: [IP::client_addr] URI: $uri"
} elseif {$uri == "/public/download/"} {
    set version ""
    regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version

     if {$version == ""} {
        log local0.warning "Unable to parse version from: $ua, will search session table"
        set version [table lookup -subtable vpn_client_ip_to_versions [IP::client_addr]]
        log local0.warning "Version in table: $version"

     if {$version == ""} {
        log local0.warning "Unable to find version session table"
        HTTP::respond 404 content "Missing version in request" "Content-Type" "text/plain"
    } else {
        set out ""

          catch {
            set out [ifile get "/Common/URXVPN.CAB-$version"]

         if {$out == ""} {
            log local0.error "Didn't find file for Edge Client version: $version"
            HTTP::respond 404 content "Unable to find requested file for version $version\n" "Content-Type" "text/plain"
        } else {
            HTTP::respond 200 content $out "Content-Type" "application/"

Add the iRule to the APM Virtual Server

Known Limitations

If multiple clients with different versions of the Edge Client are behind the same IP address, they might download the wrong version. This is due to the fact that the client doesn't present the version when the request for the file reaches the iRule. This is why the iRule tries to store IP addresses based on the source IP address of other requests related to the VPN.

More information about this problem can be found in K000132735


2 Replies