We have APM device with no ASM license, and we need to protect APM login page with ASM by applying brute force prevention. We created a new Virtual server in another device which has ASM license, we put the APM VIP as pool member of the new VS, and we assigned a security policy to the new VS.
After the implementation, when accessing the new Virtual server IP, The APM login page and the webtop shows in the browser and works fine, but the VPN connection is not working i.e. The client (F5_VPN Client) stuck on the Initialization stage and after some time the state becomes Disconnected.
Based on article (K13315545), Is this setup supported??
Does it supports VPN and App Tunnel ?
Does it supports Layered Virtual Server to be in a different Device?
there is no need for a layered virtual server if your APM and ASM are 2 different devices. The layered VS/iRule is just a trick to change the traffic routing priority when APM & ASM are on the same device (because by default the traffic always goes through APM first). Make sure you check the configuration of the HTTP Profile on ASM
As @samstep mentioned check the HTTP profile and also if the ASM is triggering some false positives and blocking the SSL VPN. Maybe the F5 VP client is not accepting the javascript the F5 inserts so also the Bot protections could be blocking you.
I think you are matching maybe this issue as the SSL VPN can't be decrypted by the F5 ASM and this is why it is blocked (the article is for layered virtual server but I don't think it matters):
