VPN not working when using APM policy via Local Traffic Policy
Hi all,
I've got an interesting one and hope that one of you has a clue;
Setup; 1. FW translating public address to private address 2. F5 VS with private address, with Local Traffic Policy 3. The LTP is used to forward traffic to about 5 different VS-es, based on the HTTP Host header 4. One of those 2nd-layer VS-es (Standard VS) has an APM policy attached, with RDP & Portal Access objects and Network Access object. (All other VS-es have standard pools attached to them with basic websites)
When a user connects to the websites behind the other VS-es using their respective URL's, all happy and working. When a user connects to the APM VS via a browser, they can log in and the RDP and Portal Access objects work fine. When a user connects to the APM VS via a browser, and log in but using the Network Access object, this fails and gives the error message "Failed to download configuration" after a while. When a user connects to the APM VS via the BIG IP VPN client on a laptop, it hangs at "Initializing" and after a long while gives up. When a user connects to the APM VS via the F5 Access mobile client, it hangs at "Connecting".
Connecting the APM policy straight to the first/front VS and removing the LTP, everything works. I've even created an LTP with just one line rule that forwards all traffic to the APM VS, but still the same behaviour. I'm not using DTLS, it's running v13.1.0.8 and have been able to replicate it on another system, so it's probably my config that's doing it...
Any idea?? I'm stumped...
Thanks,
Alex
Hi all,
In case anyone else runs into the same problem, here's the answer after speaking with F5 support; Turns out the iSession requests that are used for setting up the VPN tunnel in Windows are not quite HTTP compliant, and as such, cause issues when assessed by the Local Traffic Policy.
To fix it, I've put an iRule in place that bypasses the LTP for specific requests, see below;
when HTTP_REQUEST { set http_disable 0 if { [HTTP::uri] starts_with "/isession" or [HTTP::uri] starts_with "/myvpn" } { set http_disable 1 } } when HTTP_REQUEST_SEND { if { $http_disable != 0 } { HTTP::disable } }
This iRule needs to be attached to the same virtual server as the LTP is attached to and all works again!