APM Local DB multiple groups
Hi, I'm using APM with localdb authentication and performing a group lookup and resource assign ACLs based on the localdb group. It works well with one group and one set of ACLs per group. But what if I want a user to have ACLs from more than one group? do I assign multiple groups to the user? I've sort of tried this but it did not work. Only ACL from one group are applied. Is this sort of functionality supported or is the group field in localdb meant for only one group?65Views0likes3CommentsOrder of resource assignment when user assigned multiple network access resources
Good day, What logic or method is used by the F5 APM to choose which network access resource takes affect when a user is assigned multiple network access resources? In my environment (BIG IP Virtual Edition APM+LTM 16.1.4 two node cluster) we are assigning different network access resources based on group membership. Some users are members of multiple groups that are being assigned different resources, which often is resulting them in having the "general user" settings and address pool take affect instead of the Executive settings and pool, to which they are also assigned. I haven't been able to determine the logic that APM is applying to determine which resources take precedence. It doesn't appear to be the order in the Advanced Resource assignment. It almost looks alphabetical. Thanks Chris52Views0likes1Commentcant access to management interface after vpn using apm established
i had configured network access vpn using APM module, i tried to split tunneling the network of my management access, but unfortunately when the vpn established i cant connect to my f5 management interface. i tried to add VS with my pool member is my f5 management ip address, where VS ip address is 1 network with my VPN user, the service is https, and the pool member is my f5 management ip address with service port is 443. and then the result is i can ping my VS but i cant connect to my VS which have the pool member is my f5 management ip address with port 443 any idea how can i access to my F5 after vpn using APM established? really appreciate your help thank you1.7KViews1like4Comments[APM] ACL Interest
Hi, I'm integrating VPNSSL F5 by using APM since many week. Our users population are susceptible to use the following elements : Portal Access RDP Access Network Access My questions are about Network Access. Today, I use Network Access to allocate the same IP address inside and outside the entreprise (F5 has in interface in all my entreprise LAN). After that I have as many Forwading VS than Entreprise LAN. On each forwarding IP I've I this irule : when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 192.168.160.0/255.255.254.0] } { node 192.168.160.1 } else { log local0. "[IP::client_addr] access problem" reject } } This Irule send to gateway 192.168.160.1 if the Network Access IP is in 192.168.160.0/23 range. This system works perfectly but i've questions about that : I've have an ACL that looks like this : Src : 192.168.160.0/23 Destination : 0.0.0.0 Port : Any Allow My firewall are here to do filtering, not APM. Since this morning I realized that if I remove this ACL, nothing change, all works perfectly too. My F5 is not supposed to filter if there is no ACL ? In this case, what is intereset off ACL (only portal mode) ? Thanks a lot for yours answers328Views0likes1CommentAPM - Network Access issue solved after policy re-apply
Hello All, we registered a weird behavior with an APM (11.4.2 HF7) guest: users can login correctly into logon page and AD Auth is fine. Then users starts networks access clicking on the "na_icon". It worked for few weeks (a couple of months) with more or less 100 ccu. Suddenly na stopped to work and no one can access to vpn. After a restart of the service apmd the users can start na for few minutes (about 15, half an hour) and then the service fails again. We tried upgrading the APM to 11.5.1 but the issue come up again after few minutes, so we rollback to the 11.4.2 HF7. We set the APM log to debug, test the issue and get the qkview. When the issue arises the only logs you can find are the following (some sensible data has been masqueraded): Apr 16 09:36:33 slot1/*******-*** notice tmm[25747]: 01490549:5: ea787267: Assigned PPP IPv4: "ip_address" Tunnel Type: VPN_TUNNELTYPE_TLS NA Resource: /Common/"policy_name" - Reconnect Apr 16 09:36:33 slot1/*******-*** notice tmm[25747]: 01490505:5: ea787267: PPP tunnel 0x570000fdfa00 started. Apr 16 09:36:34 slot1/*******-*** notice tmm[25747]: 01490505:5: ea787267: PPP tunnel 0x570000fdfa00 closed. After analyzing the qkview without understanding what the problem was, we re-apply the policy and the vpn started to work fine. It's about 3 weeks that the vpn (network access) are working fine. I'm wondering if anyone else had a similar issue with na, solving a huge problem just re-applying the policy without making any changes. Thank you.504Views0likes5CommentsF5 Access 2018 app shows "Unable to retrieve network access configuration" on iPhone 7 with iOS 12 (beta)
F5 Access 2018 app shows "Unable to retrieve network access configuration" on iPhone 7 with iOS 12 (beta) when we use Web Logon for authentication (for OTP codes). If we choose Native authentication (and remove the requirement for OTP), the VPN establishes just fine. On the server side, "Session deleted due to user logout request." when the user receives the error message. We're using split-tunnel VPN. A user reported getting the above error after upgrading to iOS 12 Beta and installing the F5 Access 2018 app. I have replicated this on a brand new iPhone 7 after upgrading it to iOS 12. Am suspecting this is an iOS 12 Beta bug, but it is a problem nonetheless. See below for the relevant part of the client logs. I also saw this old thread which refers to the exact same "Error 111" message on iOS as seen in the F5 Access client log: https://stackoverflow.com/questions/20454853/nsxmlparsererrordomain-111 Excerpt from client log: PacketTunnelProvider.swift, 477, startTunnel(options:completionHandler:), Session has been established VpnFavoriteListOperation.swift, 110, main(), VPN Favorites failed: Error Domain=NSXMLParserErrorDomain Code=111 "(null)" PacketTunnelProvider.swift, 484, startTunnel(options:completionHandler:), Network parameters have been received PacketTunnelProvider.swift, 487, startTunnel(options:completionHandler:), Failed to get NA settings Internal Error: VPN resource was not found PacketTunnelProvider.swift, 334, displayMessage(_:completionHandler:), Unable to retrieve network access configuration Full log: 2018-07-09,13:23:07:672, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 368, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2018-07-09,13:23:07:684, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 369, startTunnel(options:completionHandler:), Release Version: 3.0.0 2018-07-09,13:23:07:698, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 370, startTunnel(options:completionHandler:), Bundle Version: 3.0.0.224 2018-07-09,13:23:07:704, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 371, startTunnel(options:completionHandler:), Build Date: Fri Mar 2 13:20:26 PST 2018 2018-07-09,13:23:07:709, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 372, startTunnel(options:completionHandler:), Build Type: CM 2018-07-09,13:23:07:712, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 373, startTunnel(options:completionHandler:), Changelist: 2509912 2018-07-09,13:23:07:715, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 374, startTunnel(options:completionHandler:), Locale: engelsk (Norge) 2018-07-09,13:23:07:718, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 375, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2018-07-09,13:23:07:727, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 382, startTunnel(options:completionHandler:), Connection Parameters: Optional("serverAddress: https://fjerntilgang.tine.no,password: ,ignorePassword: false,passwordExpirationTimeStamp: -1,passwordReference: not-set,passwordExpired: falseidentityReference: not-set,postLaunchUrl: ,webLogon: true,launchedByUriScheme: false,vpnScope: device,startType: manual,deviceIdentity: assignedId: ,instanceId: ,udid: ,macAddress: ,serialNumber: ") 2018-07-09,13:23:42:181, 264,7947,PacketTunnel, 48, PacketTunnelProvider.swift, 166, checkForConfigurationUpdate, Request update configuration with "{ "savePasswordEnabled" : false, "weblogonAutoPopulateEnabled" : true, "clearPassword" : false, "enforceWebLogon" : false, "enforceLogonMode" : false, "launchedByUriScheme" : false, "timeStamp" : -1, "logonSucceed" : true }" 2018-07-09,13:23:42:222, 264,7947,PacketTunnel, 48, PacketTunnelProvider.swift, 477, startTunnel(options:completionHandler:), Session has been established (Session ID: c47c4cf6) 2018-07-09,13:23:42:446, 264,12807,PacketTunnel, 1, VpnFavoriteListOperation.swift, 110, main(), VPN Favorites failed: Error Domain=NSXMLParserErrorDomain Code=111 "(null)" 2018-07-09,13:23:42:454, 264,12807,PacketTunnel, 48, PacketTunnelProvider.swift, 484, startTunnel(options:completionHandler:), Network parameters have been received 2018-07-09,13:23:42:459, 264,12807,PacketTunnel, 1, PacketTunnelProvider.swift, 487, startTunnel(options:completionHandler:), Failed to get NA settings Internal Error: VPN resource was not found 2018-07-09,13:23:42:487, 264,12807,PacketTunnel, 1, PacketTunnelProvider.swift, 334, displayMessage(_:completionHandler:), Unable to retrieve network access configuration1.1KViews0likes5CommentsBIG-IP network access option "Register this connection's addresses in DNS" registers two addresses
Hello, I have enabled the BIG-IP network access option "Register this connection's addresses in DNS" to register the VPN client IP in our companies DNS. The same option is also enabled on all network adapters of our windows machines. The issue I am now expecting is that not only the client IP gets registed but also the physical IP of the network adapter which is in most cases a private IP and useless. Due to this it is luck to get the correct IP when doing a name resolution but i cannot uncheck the box on the physical adapters as the machines would populate the LAN/WiFi IP to the DNS and this would cause problems. Thanks Martin526Views0likes3CommentsSelective SNAT in VPN
I have a fully working VPN (Network Access) on BIGIP; very easy to set tup. I have an RFC1918 IP pool 10.10.1.1-10.10.1.254 allocated for the VPN clients, and my BIGIP has a couple of network interfaces. If I enable AutoMap, everything works nicely. Question: is it possible to do a selective SNAT based on where the client wants to go? If yes, how? I'm trying to keep the RFC1918 IPs when clients talk to internal resources in our network, but I would like to SNAT only the traffic going to the Internet (it leaves through a specific interface that has it's own self-ip).888Views0likes8CommentsuserID to LeasePool IP Mapping
Hey all, I finally have my SSLVPN route domain working to force all my vpn traffic through our internal network. I am not translating any of the source addresses so each leased address in the lease pool for my vpn clients are visible on the network. My goal now is to configure syslog to point to some of our syslog collectors and associate the authenticated user with the leased address. So far, in reviewing the APM logs, I cannot find one log that contains both the leased address and the userID. I have two separate logs with the info, myuserID being my account and 192.168.9.8 being the leased IP in the pool. Sep 2 13:12:08 JHHCF5-2 info apd[7160]: 01490007:6: a9dbfe8b: Session variable 'session.logon.last.username' set to 'myuserID' Sep 2 13:12:28 JHHCF5-2 notice tmm3[13010]: 01490549:5: a9dbfe8b: Assigned PPP Dynamic IPv4: 192.168.9.8 Tunnel Type: VPN_TUNNELTYPE_DTLS NA Resource: /Common/jhhc_test_vpn_ap_na_res Client IP: 10.1.12.9 Has anyone done this? As an example I would like to integrate it with my palo alto URL filtering engine which can be configured to parse logs to associate userID with source IP. Any help is appreciated!716Views0likes5CommentsVPN not working when using APM policy via Local Traffic Policy
Hi all, I've got an interesting one and hope that one of you has a clue; Setup; 1. FW translating public address to private address 2. F5 VS with private address, with Local Traffic Policy 3. The LTP is used to forward traffic to about 5 different VS-es, based on the HTTP Host header 4. One of those 2nd-layer VS-es (Standard VS) has an APM policy attached, with RDP & Portal Access objects and Network Access object. (All other VS-es have standard pools attached to them with basic websites) When a user connects to the websites behind the other VS-es using their respective URL's, all happy and working. When a user connects to the APM VS via a browser, they can log in and the RDP and Portal Access objects work fine. When a user connects to the APM VS via a browser, and log in but using the Network Access object, this fails and gives the error message "Failed to download configuration" after a while. When a user connects to the APM VS via the BIG IP VPN client on a laptop, it hangs at "Initializing" and after a long while gives up. When a user connects to the APM VS via the F5 Access mobile client, it hangs at "Connecting". Connecting the APM policy straight to the first/front VS and removing the LTP, everything works. I've even created an LTP with just one line rule that forwards all traffic to the APM VS, but still the same behaviour. I'm not using DTLS, it's running v13.1.0.8 and have been able to replicate it on another system, so it's probably my config that's doing it... Any idea?? I'm stumped... Thanks, AlexSolved623Views0likes1Comment