how to get client-side debug output from Network Access Plugin?
I've been using the F5NAP as a client for ~2 years, after getting it setup on 64-bit linux, to run SSH sessions on a research compute cluster. However now I must make the F5VPN run through a jumpbox, which is not currently working: I can login to the remote access site from the F5NAPed firefox, and start the F5VPN, at which point I immediately lose all DNS. I'm guessing The F5VPN is trying to push to my client a reference to a DNS server inside the firewall. I know from past experience that important hostnames (of, e.g., cluster login nodes) are only visible from the LAN or VPN. This failure is whacking DNS on my client, because I observe the following repeatable sequence: 1. Start F5NAPed firefox on client (laptop, which remains 64-bit linux). Test nslookup www.google.com from a console/terminal: succeeds. Login to remote-access site with F5NAPed firefox. Test nslookup www.google.com : succeeds. Use remote-access site's web UI to start F5VPN. Test nslookup www.google.com : fails with ;; connection timed out; no servers could be reached Use remote-access site's web UI to exit F5VPN (but leaving F5NAPed firefox up and logged-in to remote-access site). Test nslookup www.google.com : succeeds. The DNS push from the F5VPN is failing due to a routing problem, since the F5VPN worked before the imposition of the jumpbox tunnel. However I see no way to debug this, since the F5VPN is implemented with a browser plugin. Is there some way to get status/debug output (e.g., stdout, stderr messages) from the F5NAP on linux, the way one could if running a console-based solution? E.g., Can one make the F5NAP log to a file? Can one make the F5NAP log to the console from which one runs the F5NAPed firefox? Is there a recommended tool for observing relevant messages or other information from within firefox-3.x?
Logging SSL VPN Client Outbound Traffic
Hi all, I've searched around and found a few bits mentioned regarding the use of wildcard forwarding proxies and related rules but can't seem to find a definitive answer. We have an SSLVPN that we'd like some enhanced logging enabled on for security compliance. I've managed to get the majority of this working using the following iRule, however I'm missing one vital piece of information, the true destination of the traffic. when HTTP_REQUEST { set remote [IP::remote_addr]:[TCP::remote_port] set vip [IP::local_addr]:[TCP::local_port] set user [ACCESS::session data get session.logon.last.username] set session [HTTP::cookie value LastMRH_Session] set clientip [ACCESS::session data get session.user.clientip] set IntIP [ACCESS::session data get session.assigned.clientip] set url [HTTP::header Host][HTTP::uri] log "Rule TCP_logging fired, from $remote to vip $vip, user $user, session $session, client IP $clientip, InternalIP $IntIP, url $url" } This gives me a nice log entry with source and internal IP, username, session ID which is great! I've tried using the [IP::server_addr] value however that just returns an error (I believe because it's not actually load balancing), I've also tried the various [HTTP] variables however they just return the URL of the VIP itself not the destination traffic. All I want to see is if a user connected to the VPN hits a URL that this is recorded in the logs alongside the information I've collected above. I would appreciate any help possible! Kind Regards SpencerAPM SSLVPN with layered virtual
Hi guys, I'm trying a new (for me), but oftenly recommended by F5 SEs, setup with layered virtuals. In my testing environment, I have only one single IP address. This is used for a standard virtual server, which will be used as some kind of a jump VS (let's call it 'VS_jump'). I've assigned an LTM policy to this VS, which forwards the traffic to different virtuals, based on the requested host header. Basically this is working finde. But I'm struggling arround with APM and SSLVPN (Network Access). The requests hit the correct VS ('VS_apm-sslvpn') with APM profile assigned and the user is able to authenticate. But after opening the PPP tunnel, it's ending in a timeout for the client. The APM log tells me, that the tunnel was directly closed: PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) started. PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) closed. This issue only occurs, if the APM profile is bound to the forwarded virtual, 'VS_apm-sslvpn'. For testing purposes I've assigned the APM and connectivity profile to 'VS_jump' and the connection came up directly, without any issue. The message PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) closed. only appears, when the connection is manually disabled. So my question is: Are there any known limitations to SSLVPN, when used in conjunction with layered virtuals? I'm not sure about settings like HTTP-XFF or SNAT - where shall they be set? On 'VS_jump' or 'VS_apm-sslvpn'. Unfortunately I wasn't able to find anything related to SSLVPN and layered virtuals. Any ideas? Thanks in advance. Cheers, Sven
SSL VPN Split Tunneling and Office 365
UPDATE: Apr 9, 2020 A colleague, Vinicius M. , put together a Configuration guide: Optimizing Office 365 traffic on Remote Access through VPNs when using BIG-IP APM.pdf As we shift to a much larger remote workforce than ever before, additional strains are being placed on the remote access infrastructure of many organizations around the world. Over the past several weeks we have seen organizations adapt quickly, and as it relates to APM, implement split tunneling configurations to specifically allow Office 365 traffic to egress a client's local interface instead of the corporate network via the VPN tunnel. Microsoft publishes their Office 365 endpoints (URLs & IPs) via an API but occasionally they make changes and keeping on top of those changes can be an administrative nightmare. To make the ongoing maintenance of the Network Access Lists / split tunneling configuration as seamless as possible, I’ve adapted a Python script (see GitHubRepo) we commonly use for SSL Orchestrator deployments to fetch Office 365 endpoints and update one or more Network Access Lists. Used in conjunction with iCall, this script will periodically check for and apply updates to your Network Access List(s) without any administrative intervention, allowing you to focus on other mission critical tasks. The script is maintained and documented in this GitHub repository: https://github.com/f5regan/o365-apm-split-tunnel Microsoft has provided us with a statement concerning their recommendations for Office 365 and split tunneling: "Microsoft recommends excluding traffic destined to key Office 365 services from the scope of VPN connection by configuring split tunneling using published IPv4 and IPv6 address ranges. For best performance and most efficient use of VPN capacity, traffic to these dedicated IP address ranges associated with Office 365 Exchange Online, SharePoint Online and Microsoft Teams (referred to as Optimize category in Microsoft documentation) should be routed directly, outside of the VPN tunnel. Please refer to Microsoft guidance for more detailed information about this recommendation." Microsoft’s recommendations have been incorporated into the script published in the aforementioned GitHub repository. See the changelog for details. More Resources In addition to considering how the steps in this article may relieve some strain on your organization’s remote access infrastructure, I’d highly recommend visiting How to optimize SSL VPN connections when BIG-IP is reaching 100% CPU for further guidance on optimizing SSL VPN connections.
iRule matching destination address using VPN
Hello, I have a F5 running LTP/APM and I'm using the EDGE-client for SSL-VPN. As it is now I'm using a full tunnel since I have both outside and inside of the F5 connected to a firewall. Right now i SNAT and everything works fine but I would like to SNAT traffic to the outside (internet) and use NO SNAT to the inside networks. (all private networks) I have found examples where I sort traffic based on the source (client) but I want to check if the resource the vpn-connection is trying to reach is a private address and if so use NO SNAT and if the resource is a public address then use SNAT. In my example I have IP::client_addr which returns the address my client is coming from. But I want to see the address I'm going to, through the vpn-tunnel. I get address 192.168.100.200 on my tunnel-interface on my client. When I try to reach for example www.sunet.se (192.36.171.231) I want to get that IP and match it against the private networks and if it's a match - no nat and otherwise nat. Am I being confusing? 🙂 Iv'e been broswing around the iRule reference but can't find anything that suite my needs. I can get my public IP outside the tunnel, i can get the ip of the VS im connected to, I can get the IP my tunnel-interface has but I can't get the destination Ip. Is it possible? Best regards, // Fredrik when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or [IP::addr [IP::client_addr] equals 192.168.0.0/16] or [IP::addr [IP::client_addr] equals 172.16.0.0/12] } { snat none } else { snat automap} }
Linux SSL VPN client error - SSL handshake failed
Hello, We have recently update our SSL VPN infrastructure and after that I haven't been able to create a VPN tunnel from my laptop. I can successfully login to the web interface but when I try to create a tunnel a "Browser is waiting from status from Network Access Application" popup appears and after a short time it goes back to the popup that allows to download the client RPM or DEB. I can see these entries in the ~/.F5Networks/vpn.log when I try (always the same entries): ========================================================================== Kernel version: 1 SMP Debian 4.9.51-1 (2017-09-28) System: Linux Release: 4.9.0-4-amd64 Model: x86_64 Node name: robfas-lin ========================================================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Location: /opt/f5/vpn/f5vpn 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Version: 7140.2017.0414.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Locale: C 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Qt version: 5.7.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 48,,,, current log level = 63 2017-10-13,10:56:06:042, 19333,19333,, 48, /Helpers.h, 96, void f5::qt::setupLogs(const std::string&, const std::string&), OpenSSL supported: true. Lib in use: OpenSSL 1.0.2l 25 May 2017. Build: OpenSSL 1.0.2k 26 Jan 2017 2017-10-13,10:56:06:085, 19333,19333,, 48, /LinuxService.h, 45, void f5::qt::DBusInterface::Open(QStringList, QMap), D-Bus Open() method called 2017-10-13,10:56:06:097, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/my.report.na 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:200, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:201, 19333,19333,, 48, /Session.cpp, 87, void f5::qt::Session::ProfileDownload(), Profile download starting, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:201, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:298, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 48, /Session.cpp, 59, void f5::qt::Session::ProfileDownloadFailed(QString), Profile download failed, Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 222, void f5::qt::SessionManager::SessionError(QString), ----Session 46112466 ends----. Error occured: Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 214, void f5::qt::SessionManager::CheckSessions(), No live sessions, quitting application.... I'm running on Debian Stretch 64 bit. I tried everything I could think about without success (and at the same time I can login successfully from an Android Tablet). Any tip on what I could try? Could this be related to this bug: ID382396 [Linux CLI] Certificate verification doesn't work for some Linux distributions? Thanks in advance!
APM: VPN + Azure AD MFA, what license?
Hey, i am new to the F5 universum and i have a question regarding licensing: When using Remote Access SSL VPN in combination with Azure AD for MFA via SAML, what kind of license is needed in such cases? I would assume its one CCU per Connection? - what about those access sessions? Maybe someone could help me out on this, Thanks in advance :)
Windows Group Policy Trigger on Network Connect
Hi, I'm wondering if there is a way to trigger Windows Group Policy to be triggered when a user connects to VPN. We are able to run gpudate.exe as an application on connect, but this is visible to the end user. We have User and Machine Windows Group Policies on our domain which we'd like to ensure gets applied once the user is connected to VPN and not have to wait for the usual Windows GPO refresh cycle.
"Application Launch" doesn't execute (SSL VPN)
Hi, I am using the F5 to setup up an SSL VPN into our network. Am using APM to do authentication and posture checking. Once everything has passed there is a Resource assign and and then a Variable assign to setup an application launch. When connecting using the BipIP edge client (on Windows) I can see the posture checks occurring and the I am authenticated and connected to the network. However the application doesn't launch. The F5 application Helper UAC prompt occurs, to which I click YES. I went and had a look through the client logs and found the following entries 2016-04-15, 6:09:23:886, 2624,1752,Standalone, 48, \NetworkAvailabilityMonitor.cpp, 282, WaitForConnectionToSettle::WaitForConnectionToSettle, Network event occured while waiting for connection to settle I assume the network event that occurred was the application launch, because when looking through the logs of a different connection that does work I can see the following 2016-04-15, 4:07:10:335, 3296,2552,HOST, 48,,,, CHostCtrl::ExecuteApplication:launch cmd="mstsc.exe" which is no where to be found in the logs when it doesn't work. Does anyone know what causes the connection settle issue and how I might be able to resolve it? Cheers, Simon
