Big-IP Edge Client / Windows 10 1809 - No internet connection with connected VPN
Hi everybody I've updated my computer to Windows 10 Build 1809: After a successfull connection with Big-IP Edge Client VPN the internet connection is broken. Ping to Google DNS servers with connected VPN: We have configured Network Access with "split tunneling". The very same VPN worked perfectly with the previous build of Windows 10 (1803). Version of VPN client: 7160,2018,417,2013 Does anyone run into the same problem? Thank you, John
Machine Certificate Check - why does it fail?
Hi, I am trying to implement machine certificate check for Edge Client users. The machine certificate is stored in the default MY store and I assume I have configured the APM action correctly with: MY / LocalMachine / CA Bundle / YES to right elevation prompts. The connection fails always on machine certificate check with these entries in APM log: debug /Common/ap_edge_client:Common:4d76a881: MachineCert agent: ENTER Function executeInstance info /Common/ap_edge_client:Common:4d76a881: Executed agent '/Common/empty_act_machinecert_auth_ag', return value 0 info /Common/ap_edge_client:Common:4d76a881: Following rule 'fallback' from item 'Machine Cert Auth' to item 'Log F' info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert./Common/empty_act_machinecert_auth_ag.result' set to '-2' info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert.last.result' set to '-2' Edge client log file contains these entries: 0,2018-08-09,11:04:34:936,APPCTRL,7384,8484,Starting pending session ID: 4d76a881 48,2018-08-09,11:04:35:431,APPCTRL,7384,8484,URL: https:///my.policy 48,2018-08-09,11:04:36:330,APPCTRL,7384,8484,Cookie MRHSession not set 1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failure 1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failed - redirect (0x80070005) 0,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Failed to establish session 4d76a881 I set the logging levels for this APM policy to debug for everything, but still none of the logs tell me what could be causing the problems. Is it my VPE action setting, is it perhaps something with CA, or the client rights? How should I identify the root cause here? What more can I do more to troubleshoot beside trying every possible set of settings in the APM machine certificate check action? Any help really appreciated! thx.Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors
If you (like some of my customers) want to have the BIG-IP Edge Client packaged and distributed as a software package within your corporate infrastructure and therefore have switched off automatic component updates in your connectivity profiles, you might still get the covpn64.sys file upgraded or downgraded to the same version as the one installed on the BIG-IP APM server. Background We discovered that on some Windows clients the file covpn64.sys file got a newer/older timestamp in and started to investigate what caused this. The conclusion was that sometimes after hibernation or sleep, the Edge Client is unable to open the VPN interface and therefore tries to reinstall the driver. However, instead of using a local copy of the CAB file where the covpn64.sys file resides, it downloads it from the APM server regardless of if the version on the server and client match each other or not. In normal circumstances when you have automatic upgrades on the clients, this might not be a problem, however when you need to have full control on which version is being used on each connected client, this behavior can be a bit of a problem. Removing the Installer Component? Now you might be thinking, hey… Why don't you just remove the Component Installer module from the Edge Client and you won't have this issue. Well the simple answer to this is the fact that the Component Installer module is not only used to install/upgrade the client. In fact, it seems like it's also used when performing the Machine Check Info from the Access Policy when authenticating the user. So by removing the Component Installer module result in other issues. The Solution/workaround The Solution I came up with is to store each version of the urxvpn.cab file in an IFile and then use an iRule to deliver the correct version whenever a client tries to fetch the file for reinstallation. What's needed? In order to make this work we need to Grab a copy of urxvpn.cab from each version of the client Create an IFile for each of these versions Install iRule Attach iRule to the Virtual Server that is running the Access Policy Fetching the file from the apmclients ISOs For every version of the APM client that is available within your organization a corresponding iFile needs to be created. To create the iFiles automatically you can do the following on the APM server. Login to the CLI console with SSH Make sure you are in bash by typing bash Create temporary directories mkdir /tmp/apm-urxvpn mkdir /tmp/apm-iso Run the following (still in bash not TMSH) on the BIG-IP APM server to automatically extract the urxvpn.cab file from each installed image and save them in the folder /tmp/apm-urxvpn. for c in /shared/apm/images/apmclients-* do version="$(echo "$c" | awk -F. \ '{gsub(".*apmclients-","");printf "%04d.%04d.%04d.%04d", $1, $2, $3, $4}')" && \ (mount -o ro $c /tmp/apm-iso cp /tmp/apm-iso/sam/www/webtop/public/download/urxvpn.cab \ /tmp/apm-urxvpn/URXVPN.CAB-$version umount /tmp/apm-iso) done Check the files copied ls -al /tmp/apm-urxvpn Import each file either with tmsh or with GUI. We will cover how to import with tmsh below. If you prefer to do it with the GUI, more information abour how to do it can be found in K13423 You can use the following script to automatically import all files cd /tmp/apm-uxrvpn for f in URXVPN.CAB-* do printf "create sys file ifile $f source-path file:$(pwd)/$f\ncreate ltm ifile $f file-name $f\n" | tmsh done Save the new configuration tmsh -c “save sys config” Time to create the iRule when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set uri [HTTP::uri] set ua [HTTP::header "User-Agent"] if {$uri starts_with "/vdesk" || $uri starts_with "/pre"} { set version "" regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version if {$version != ""} { table set -subtable vpn_client_ip_to_versions [IP::client_addr] $version 86400 86400 } else { log local0.debug "Unable to parse version from: $ua for IP: [IP::client_addr] URI: $uri" } } elseif {$uri == "/public/download/urxvpn.cab"} { set version "" regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version if {$version == ""} { log local0.warning "Unable to parse version from: $ua, will search session table" set version [table lookup -subtable vpn_client_ip_to_versions [IP::client_addr]] log local0.warning "Version in table: $version" } if {$version == ""} { log local0.warning "Unable to find version session table" HTTP::respond 404 content "Missing version in request" "Content-Type" "text/plain" } else { set out "" catch { set out [ifile get "/Common/URXVPN.CAB-$version"] } if {$out == ""} { log local0.error "Didn't find urxvpn.cab file for Edge Client version: $version" HTTP::respond 404 content "Unable to find requested file for version $version\n" "Content-Type" "text/plain" } else { HTTP::respond 200 content $out "Content-Type" "application/vnd.ms-cab-compressed" } } } } Add the iRule to the APM Virtual Server Known Limitations If multiple clients with different versions of the Edge Client are behind the same IP address, they might download the wrong version. This is due to the fact that the client doesn't present the version when the request for the file urxvpn.cab reaches the iRule. This is why the iRule tries to store IP addresses based on the source IP address of other requests related to the VPN. More information about this problem can be found in K000132735
VPN BIG-IP Edge client : traffic over VPN tunnel with full or split tunneling
We have established a VPN connection between a Windows client and a BIGIP v15. We are using BIGIP Edge client, with network access. Full tunneling We do not really understand what kind of traffic is allowed or disallowed over the VPN tunnel. According to this document : https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-13-0-0/2.html with full tunneling "all traffic (including traffic to or from the local subnet) is forced over the VPN tunnel." How traffic to local subnet can be forced over the VPN tunnel ? Does full tunneling ensure that the resource is not leaking traffic to the client's LAN ? Split tunneling In order to use split tunneling, we have to fill the field "IPV4 LAN Address Space", to specify a list of addresses. Only the traffic to these addresses goes through the tunnel configured for Network Access, all other traffic bypasses the tunnel. As this field is mandatory, what is the purpose of the field "Exclude Address Space" (not mandatory) ? What is the purpose of the feature "split by DNS" ? How to know if it is better to use "split by DNS" instead of "split by IP" ?BIG-IP Edge Client run script before disconnect
Hello, Currently I have multiple Windows clients running f5 BIG-IP Edge Client and I need them to run a script to contact an internal server before disconnecting from the VPN. There are some articles about running logoff scripts on client (https://support.f5.com/csp/article/K77894700), but couldn't find any about running scripts on client upon disconnect but before terminating VPN connection. Does f5 have any feature to address this case? Is it possible to run a script in the client machine after the user clicks on the disconnect button but before the VPN connection is terminated? Thanks!
Machine tunnel
Hi Guys, we want to use the machine tunnel to just connect the clients wit split tunnel to some license servers. I installed nearly all components and set up the tunnel in registry. Machine Certificate/Info is not working and there is created several apm/ltm sessions. Is there more information about troubleshooting/configuring machine tunnel? Is someone successfully using the machine tunnel without edge client? Thanks and stay relaxed/safe, Sunny regards, Joern
Edge Client and Duo Security
We are currently running an extended pilot of Duo Security 2fa and the F5 vpn. This includes the standalone client. The entire process works properly when accessing via the web, however when using the standalone client we get the following javascript exception Has Anyone else seen and dealt with this issue? We are running 11.6.0 HF6. It happens on the standalone client on Windows, both Windows 8 and Windows 10 thus far.
How are ciphers configured or what ciphers are used with the Bip IP Edge client?
Recently we've restricted the ciphers on the SSL profiles (Client), and disallowed SSLv3, TLSv1, and a number of other encryption. However, after the change, users using the Edge client were unable to VPN to the F5. When the users tried to connect they get, "Can't receive settings from server."
