Forum Discussion

ebeng_278441's avatar
ebeng_278441
Icon for Altocumulus rankAltocumulus
Jan 12, 2019

SSL VPN iOS 12 connection error

All,

 

After a while I wanted to start to use the F5 VPN again on the iPhone. I'm 100% sure that the policy is not changed since last time, when I was using the F5-App on the iOS10.x-11.x Now I'm ending up with the following errors on the client/server side:

 

On the iPhone (PacketTunnel.log):

 

2019-01-12,18:57:53:263, 5332,13835,PacketTunnel, 48, PacketTunnelProvider.swift, 503, startTunnel(options:completionHandler:), Session has been established (Session ID: cbbdf673)
2019-01-12,18:57:53:537, 5332,14855,PacketTunnel, 48, PacketTunnelProvider.swift, 510, startTunnel(options:completionHandler:), Network parameters have been received
2019-01-12,18:57:53:737, 5332,14855,PacketTunnel, 1, PacketTunnelProvider.swift, 1058, establishTunnel(_:completionHandler:isReconnecting:), Tunnel connection fails: Error Domain=F5ChannelError Code=0 "" UserInfo={F5ChannelErrorCode=0, NSLocalizedDescription=}
2019-01-12,18:57:53:740, 5332,14855,PacketTunnel, 48, SessionManager.swift, 346, logout(_:completionHandler:), Start session logout request hangup code: (4) (Session ID: cbbdf673)
2019-01-12,18:57:53:880, 5332,7951,PacketTunnel, 48, SessionManager.swift, 399, logout(_:completionHandler:), Finished session logout request with hangup code (4) (Session ID: cbbdf673)
`

And on the F5 APM logging:

`Jan 12 18:57:56 bigip1 notice tmm[14712]: 01490567:5: /Common/SSL:Common:cbbdf673: Session deleted (network_error, code - 4).

I'm running BIG-IP 12.0.0 Build 1.0.628 Hotfix HF1

 

Any help is really appreciated!!

 

Edit1: From windows machine it is working, no problems there.

 

Edit2: Just updated to BIG-IP 12.1.3.7 Build 0.0.2 Point Release 7, same errors.

 

Edit3: Got my hands on a Ipad with ios11, working perfect

 

application delivery
BIG-IP Access Policy Manager (APM)
ios
iphone
  • ebeng_278441's avatar
    ebeng_278441
    Apr 16, 2019

    When there is a port translation from xxxxx to yyyyy before the F5, it will always fail on the iOS12, as this will choose the port configured on the VirtualServer(yyyyy) and not the port chosen to connect to(xxxxx).

    Therefor, you have 2 options: 1- keep it simple and keep the destination port and the virtualserver port THE SAME! 2- define a variable on the APM policy such that the iOS will use to connect to.

    apm policy agent variable-assign /Common/variable_assign_port-pat {
   variables {
       {
           expression "return {xxxxx}" <--- (!)
           varname session.server.network.port
       }
  • ebeng_278441's avatar
    ebeng_278441
    Icon for Altocumulus rankAltocumulus
    Apr 16, 2019

    When there is a port translation from xxxxx to yyyyy before the F5, it will always fail on the iOS12, as this will choose the port configured on the VirtualServer(yyyyy) and not the port chosen to connect to(xxxxx).

    Therefor, you have 2 options: 1- keep it simple and keep the destination port and the virtualserver port THE SAME! 2- define a variable on the APM policy such that the iOS will use to connect to.

    apm policy agent variable-assign /Common/variable_assign_port-pat {
   variables {
       {
           expression "return {xxxxx}" <--- (!)
           varname session.server.network.port
       }