F5 APM DHCP instead of leasepool
Hello, I'm looking to configure the APM to use an upstream DHCP server instead of the locally defined leasepool. I have seen in other posts a link to an article for just this, but the link is no longer around and I cannot find the iapps template associated. iApp, documentation, and example APM Policy to get IP addresses from DHCP for APM VPN clients Can someone point me to the correct link, or can someone tell me the proper way to do this? When i remove the leasepool from the APM policy it says no leasepool assigned and the connections fail. Thank you.
how to get client-side debug output from Network Access Plugin?
I've been using the F5NAP as a client for ~2 years, after getting it setup on 64-bit linux, to run SSH sessions on a research compute cluster. However now I must make the F5VPN run through a jumpbox, which is not currently working: I can login to the remote access site from the F5NAPed firefox, and start the F5VPN, at which point I immediately lose all DNS. I'm guessing The F5VPN is trying to push to my client a reference to a DNS server inside the firewall. I know from past experience that important hostnames (of, e.g., cluster login nodes) are only visible from the LAN or VPN. This failure is whacking DNS on my client, because I observe the following repeatable sequence: 1. Start F5NAPed firefox on client (laptop, which remains 64-bit linux). Test nslookup www.google.com from a console/terminal: succeeds. Login to remote-access site with F5NAPed firefox. Test nslookup www.google.com : succeeds. Use remote-access site's web UI to start F5VPN. Test nslookup www.google.com : fails with ;; connection timed out; no servers could be reached Use remote-access site's web UI to exit F5VPN (but leaving F5NAPed firefox up and logged-in to remote-access site). Test nslookup www.google.com : succeeds. The DNS push from the F5VPN is failing due to a routing problem, since the F5VPN worked before the imposition of the jumpbox tunnel. However I see no way to debug this, since the F5VPN is implemented with a browser plugin. Is there some way to get status/debug output (e.g., stdout, stderr messages) from the F5NAP on linux, the way one could if running a console-based solution? E.g., Can one make the F5NAP log to a file? Can one make the F5NAP log to the console from which one runs the F5NAPed firefox? Is there a recommended tool for observing relevant messages or other information from within firefox-3.x?IPSec VPN between LTM and AWS VPC
we are tring to build a IPSec VPN between our platform and the VPC (Virtual Private Cloud) from AWS. We have only a LTM on our side. AWS has many templates for different firewall systems (Cisco, Junipa, Palo Alto, Windows). The configuration of IKE and IPSec SA is simple with the generic template. However, difficult is the routing through the tunnel. AWS wants to use the network 169.254.254.0/30 and the LTM says: 01020062:3: IP Address 169.254.254.2 is invalid, link-local address not allowed. Has anyone build a working tunnel with a LTM to AWS and can describe the solution? thank you
What irule events are available after ltm assigns a client ppp address?
I need to grab the clients ppp address after network access is granted. Does anyone know what event I can use to trigger this? When I use the ACCESS_POLICY_COMPLETED event the session.assigned.clientip is empty and if I use after it just delays the client ip assign and session.assigned.clientip is still empty. Any help is greatly appreciated.irule inspecting or modifying vpn traffic
The access policy for my virtual server grants network access. The only resource on the network behind the f5 is my proxy server. I need to pass the client certificates to my proxy server in the http header. I found a rule here that is triggered by http_request that works for initial connection to the F5/virtual server. Unfortunately once the SSL tunnel comes up the irule does not see anymore http_requests. My guess is that the VPN tunnel terminates behind the virtual server interface so the irule associated with the virtual server doesn't see the traffic. Has anyone figured out how to grab client ssl certs coming down a VPN tunnel and inject them into the http header? Would an irule in a rewrite profile accomplish this? Does anyone know of a simpler was of getting my clients to my proxy other than the network resource assign?