For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

vpn

106 Topics

How to nexthop all requests from VPN clients?
I have VPN access configured under APM, and a Virtual Server acting the access point. The VPN is working well. I now need to route all traffic (all requests) coming from VPN clients to another router. I don't want the BIG-IP unit to make the routing decisions and distribute the traffic, but want to next-hop all VPN traffic to a central router and have it routed from that one. (Leaving all other traffic that is not from VPN clients unaffected and still routed normally by the BIG-IP.) I can't use a static route for it, since those are destination based and what I need is effectively source based. I've tried to add an iRule to the Virtual Server: when HTTP_REQUEST { nexthop [VLAN] [Router IP] } I've also tried a few other events, such as CLIENT_ACCEPTED and HTTP_REQUEST_SEND, but I can't get it to work. Any advices on how I can next-hop all requests from VPN clients to another router?
Solved
LarsKristensson
Sep 18, 2025 Place Technical Forum
75Views
0likes
7Comments
F5 APM monitor VPN user destinations
Hello, Is F5 APM capable of showing the destinations that the VPN user is trying to reach to? Can we get this information by default, or does it require customization? Shall be seen through AVR?
User100000
Aug 04, 2025 Place Technical Forum
88Views
0likes
3Comments
F5 BigIP APM VPN some LDAP field are base64 encoded
We have F5 BigIP APM (16.1.5.2) for VPN SSL and for some user some LDAP field are base64 encoded (because of french accent). I have try in Variable Assignement : session.ldap.last.attr.displayName = set encoded [mcget {session.ldap.last.attr.displayName}] set decoded [b64decode $encoded] return $decoded But in log 2025-04-17 19:06:54 x.x.x.x - err apmd[1069]: 01490086:3: /Common/AP:Common:77c07d2d: Rule evaluation failed with error: invalid command name "b64decode" Is it possible to have the good syntax for this conversion ? Thank you
Solved
francoisbh
May 14, 2025 Place Technical Forum
231Views
0likes
1Comment
In F5 APM, how to include multiple DNS suffix?
In the VPN connectivity, there's only one box to fill in DNS suffix, how to include more than one DNS suffix or how to utilize the DNS suffix list in Windows instead of having only one entry? Thank you.
Solved
felixk
Apr 29, 2025 Place Technical Forum
292Views
0likes
2Comments
DNS resolve issues on Ubuntu 24 LTS with f5fpc
Hi, Problems connecting to vpn after upgrading to ubuntu 24.04 | DevCentral After switching to Ubuntu 24 LTS, I encountered the connection issues as described here https://community.f5.com/discussions/TechnicalForum/problems-connecting-to-vpn-after-upgrading-to-ubuntu-24-04/329549 . Applying the fix symlinking /etc/resolv.conf made things work partly. What I am seeing is that, after connecting with f5fpc, /etc/resolv.conf contains the two nameservers of my vpn domain (great), but also still my local lan nameserver (192.168.1.1 , not so great). This makes that about 1 in 3 DNS requests for hosts on the vpn side fail. $ cat /etc/resolv.conf 17 │ nameserver 192.168.20.2 18 │ nameserver 192.168.20.25 19 │ nameserver 192.168.1.1 20 │ search . Any ideas what could be causing this ?
heymajo
Jan 22, 2025 Place Technical Forum
365Views
0likes
0Comments
Need to log the VPN Pool IP Address on the Edge Firewall Logs
Dears Greeting I am Using the F5 APM as a VPN Solution On the Edge Firewall Logs i can see ONLY the SELF IP Addresses and NOT the the Assigned VPN Pool IP Address that is configured under the Network Access Profile on the APM Config, I am Using a One Arm Deployment When i am try to remove the SNAT from the Virtual Server , and Network Access Profile on the APM interchangeably and with each other , I cannot reach the services
Ahmed_Zahran
Jan 01, 2025 Place Technical Forum
85Views
0likes
1Comment
F5OS share APM VPN licence across tenant clusters
Hello, I have deployed a pair of r5900 series appliances. On these appliances, I have an Active/Standby tenant cluster of F5 BIG IP running with the APM module provisioned and an APM configuration dedicated to SSL VPN using the F5 Edge Client. The F5OS chassis are using 3 licences : r5900 Best bundle APM 1000 VPN Users (x2) This means that the production environment can handle up to 2000 concurrent users connected at the same time, on the APM-enabled BIG-IP tenants. My question is the following : Can I create 2 new tenants running BIG-IP with APM module and create a new APM configuration for VPN testing purposes ? How are the "APM 1000 VPN Users" licence shared across tenants running on the same r5900 chassis ? In the official F5OS documentation, I have noticed that every tenants inherits the licences provisionned on the F5OS chassis. But there is no explanation regarding the sharing of the VPN seats included in the APM VPN licences. Thank you.
Solved
NTrithardt
Oct 11, 2024 Place Technical Forum
179Views
0likes
4Comments
How can I find the current connectivity sessions via SNMP?
I am looking for the current number of VPN conenctions. show /apm license shows things like: total connectivity sessions: 500 current connectivity sessions: 197 How can I get these via SNMP? I cannot find locate the OID.
TheScottPowell
Oct 10, 2024 Place Technical Forum
514Views
0likes
5Comments
F5Access | MacOS Sonoma
I upgraded my MacOS to Sonoma (the latest version of MacOS) and now F5 Access does not open When I try to open the application, nothing happens. The icon in the up menu bar does not appear. Is anyone passing through the same situation? Thanks! Thanks!
Solved
letakeda
Jun 25, 2024 Place Technical Forum
4.2KViews
3likes
53Comments
[Workaound] User required to manually start EPI and VPN in browsers
After upgrading to version 16.1.4 the users need to manually start the End Point Inspector and the Web Initiated VPN by clicking on a "Start" button. This is describe in this KB. I created a user-common.js that will automatically click on the start button for the user. However, please note that this workround works as of 3rd of November 2023, but might stop working in the future in different browsers. In order to activate the workaround you need to have an Access Policy of the Moden type. Then go to Customizations -> Advanced -> Acces Profiles -> <Your Access Profile> -> Common Add the followinf to the file user-common.js define(["require", "exports", "apmui"], function (require, exports, apmui_1) { "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); var app = apmui_1.App.get(); app.subscribe(apmui_1.EventType.EPS_CHECK_PROGRESS, function (_, store) { var btns = document.getElementsByClassName("apmui-button"); if (btns.length == 0) { console.log("Failed to find button..."); return; } btns[0].click(); }); app.subscribe(apmui_1.EventType.DIALOG_OPEN, function (_, store) { setTimeout(function () { var dialog = document.getElementById("sna_auto_start_not_supported"); if (dialog == null) { console.log("Didn't find the right dialog"); return; } var btns = dialog.getElementsByClassName("apmui-button"); if (btns.length == 0) { console.log("Didn't find the start button"); return; } btns[0].click(); }, 100); }); }); If you have a better solution to this, please let me know. This was just what I came up with when asked by customers that the new "Start" button had created confusion among their users.
Solved
EvTheFuture
Jan 30, 2024 Place Technical Forum
1.5KViews
5likes
3Comments