Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

cant access to management interface after vpn using apm established

yunan_haris_123
Altostratus
Altostratus

‎18-May-2016 21:14

i had configured network access vpn using APM module, i tried to split tunneling the network of my management access, but unfortunately when the vpn established i cant connect to my f5 management interface. i tried to add VS with my pool member is my f5 management ip address, where VS ip address is 1 network with my VPN user, the service is https, and the pool member is my f5 management ip address with service port is 443. and then the result is i can ping my VS but i cant connect to my VS which have the pool member is my f5 management ip address with port 443

 

any idea how can i access to my F5 after vpn using APM established? really appreciate your help

 

thank you

 

Labels:
4 REPLIES 4

Kevin_Stewart
F5 Employee
F5 Employee

‎19-May-2016 04:57 - last edited on ‎05-Jun-2023 22:54 by Fog

This is actually a well-intentioned security feature, but you can get around it with the following trick:

  1. Create a simple LTM virtual server - you can bind this to the VPN connectivity profile "VLAN" or to an internal VLAN (do NOT bind this to an external VLAN)

  2. Apply a simple client SSL profile to the VIP

  3. Apply a simple server SSL profile to the VIP

  4. Apply the following iRule to the VIP:

    when CLIENT_ACCEPTED {
    node 127.0.0.1 443
}

    Depending on platform version you may need to use an internal VLAN self-IP instead of 127.0.0.1.

Jimmy
Nimbostratus
Nimbostratus
In response to Kevin_Stewart

‎27-Feb-2023 15:22

From v15.1/16.1 a db value needs to be changed in order to use this iRule.  Details here: https://my.f5.com/manage/s/article/K05413010

imabbas_90
Altocumulus
Altocumulus
In response to Kevin_Stewart

‎12-Oct-2023 04:15

Hello Mate thanks i was also facing same issue. After connecting to the VPN cant connect to the SAME F5 device. 

After creating the Virtual server with the MGMT IP of F5 and allowing All VLAN and tunnels then created Irule 

when CLIENT_ACCEPTED { node 127.0.0.1 443}

then created one more VIP for port 22 

 

when CLIENT_ACCEPTED { node 127.0.0.1 22 }

it's working now. 

 

 

mportnoy
Nimbostratus
Nimbostratus

‎29-Nov-2023 12:45 - edited ‎29-Nov-2023 12:56

This works great to connect to active Big-IP via APM VPN.  Thank You!
I have an HA pair of Big-IPs.  Loopback (127.0.0.1) IP always redirects to active Big-IP, even if I have primary & standby inside Big-IP IPs.  Is it possible to configure access to both active and standby units?

I could create 3 sets of VIPs with it's own iRule for each, with inside VLAN IP instead of loopback address.
1 set for HA Unit 1 inside IP
1 set for HA Unit 2 inside IP
1 set for shared inside IP

Instead, is it possible to make the  iRule intelligent enough to determine requested destination IP, and send to that desination IP.

0 Kudos
Copyright © 2023 Khoros, LLC