F5OS share APM VPN licence across tenant clusters
Hello, I have deployed a pair of r5900 series appliances. On these appliances, I have an Active/Standby tenant cluster of F5 BIG IP running with the APM module provisioned and an APM configuration dedicated to SSL VPN using the F5 Edge Client. The F5OS chassis are using 3 licences : r5900 Best bundle APM 1000 VPN Users (x2) This means that the production environment can handle up to 2000 concurrent users connected at the same time, on the APM-enabled BIG-IP tenants. My question is the following : Can I create 2 new tenants running BIG-IP with APM module and create a new APM configuration for VPN testing purposes ? How are the "APM 1000 VPN Users" licence shared across tenants running on the same r5900 chassis ? In the official F5OS documentation, I have noticed that every tenants inherits the licences provisionned on the F5OS chassis. But there is no explanation regarding the sharing of the VPN seats included in the APM VPN licences. Thank you.
[Workaound] User required to manually start EPI and VPN in browsers
After upgrading to version 16.1.4 the users need to manually start the End Point Inspector and the Web Initiated VPN by clicking on a "Start" button. This is describe in this KB. I created a user-common.js that will automatically click on the start button for the user. However, please note that this workround works as of 3rd of November 2023, but might stop working in the future in different browsers. In order to activate the workaround you need to have an Access Policy of the Moden type. Then go to Customizations -> Advanced -> Acces Profiles -> <Your Access Profile> -> Common Add the followinf to the file user-common.js define(["require", "exports", "apmui"], function (require, exports, apmui_1) { "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); var app = apmui_1.App.get(); app.subscribe(apmui_1.EventType.EPS_CHECK_PROGRESS, function (_, store) { var btns = document.getElementsByClassName("apmui-button"); if (btns.length == 0) { console.log("Failed to find button..."); return; } btns[0].click(); }); app.subscribe(apmui_1.EventType.DIALOG_OPEN, function (_, store) { setTimeout(function () { var dialog = document.getElementById("sna_auto_start_not_supported"); if (dialog == null) { console.log("Didn't find the right dialog"); return; } var btns = dialog.getElementsByClassName("apmui-button"); if (btns.length == 0) { console.log("Didn't find the start button"); return; } btns[0].click(); }, 100); }); }); If you have a better solution to this, please let me know. This was just what I came up with when asked by customers that the new "Start" button had created confusion among their users.
cant access to management interface after vpn using apm established
i had configured network access vpn using APM module, i tried to split tunneling the network of my management access, but unfortunately when the vpn established i cant connect to my f5 management interface. i tried to add VS with my pool member is my f5 management ip address, where VS ip address is 1 network with my VPN user, the service is https, and the pool member is my f5 management ip address with service port is 443. and then the result is i can ping my VS but i cant connect to my VS which have the pool member is my f5 management ip address with port 443 any idea how can i access to my F5 after vpn using APM established? really appreciate your help thank youDomain was fixed in Internet Security on Internet Explorer (IE)
How it possible to edit the domain in Internet Security when it's prompt as this image below example image I has set the F5 APM to fixed the domain name, using Variable Resource Assign expr { "[mcget {session.ad.last.actualdomain}]\\[mcget {session.logon.last.username}]" } I try with Chrome, Firefox so it's work well, but in IE have fixed the Domain for each PC. For my guess, I think the behavior of Chrome and Firefox will be like Username : username Password : password after we input the information above the Variable Resource Assign will automatically add the domain to be the domain\username . On the other hand, the result of IE (that browser fix domain) will be like RINGWORLD\domain\username that will make authentication abort. My idea is to check the browser type, if the client use IE -> the F5 APM will remove the domain that fixed from the browser. Finally, I am not sure that it's possible to do it like this way or someone can give me a better solution. -F5 APM with Version 12.1.2 HF1 -IE Version 11 -F5 SSL VPN Thank you very much
session variable not being substituted?
As a second check to VPN access, I need to check the mac address of the machine against a database we have. I've set up an AAA HTTP server with a form-based http get that works when I specify an absolute value. the url I use is http://server.full.name/infoserv/cgi-bin/computing/database/hardware/vpn/MacValid.asp?MacAddress=00:00:00:00:00:00 but when I change it to http://server.full.name/infoserv/cgi-bin/computing/database/hardware/vpn/MacValid.asp?MacAddress=%{session.machine_info.net_adapter.list.[0].mac_address} the session variable is NOT substituted but passed to our web server as "%{session.machine_info.net_adapter.list.[0].mac_address" I've also tried %{session.client.mac_address} with the same result. Is there some trick to getting session variables to work in the "form action" field? thanksAPM - Network Access issue solved after policy re-apply
Hello All, we registered a weird behavior with an APM (11.4.2 HF7) guest: users can login correctly into logon page and AD Auth is fine. Then users starts networks access clicking on the "na_icon". It worked for few weeks (a couple of months) with more or less 100 ccu. Suddenly na stopped to work and no one can access to vpn. After a restart of the service apmd the users can start na for few minutes (about 15, half an hour) and then the service fails again. We tried upgrading the APM to 11.5.1 but the issue come up again after few minutes, so we rollback to the 11.4.2 HF7. We set the APM log to debug, test the issue and get the qkview. When the issue arises the only logs you can find are the following (some sensible data has been masqueraded): Apr 16 09:36:33 slot1/*******-*** notice tmm[25747]: 01490549:5: ea787267: Assigned PPP IPv4: "ip_address" Tunnel Type: VPN_TUNNELTYPE_TLS NA Resource: /Common/"policy_name" - Reconnect Apr 16 09:36:33 slot1/*******-*** notice tmm[25747]: 01490505:5: ea787267: PPP tunnel 0x570000fdfa00 started. Apr 16 09:36:34 slot1/*******-*** notice tmm[25747]: 01490505:5: ea787267: PPP tunnel 0x570000fdfa00 closed. After analyzing the qkview without understanding what the problem was, we re-apply the policy and the vpn started to work fine. It's about 3 weeks that the vpn (network access) are working fine. I'm wondering if anyone else had a similar issue with na, solving a huge problem just re-applying the policy without making any changes. Thank you.
Need help in understand the irule - APM
Hi Team , Can you please help me understand the irule configured under the VIP in APM ( remote access VPN). What exactly this irule will check ? when ACCESS_PER_REQUEST_AGENT_EVENT { if { [ACCESS::perflow get {perflow.irule_agent_id}] eq "VPN_CATEGORY2ROLE_LOOKUP" } { # in v13+: replace with ACCESS::perflow set {perflow.scratchpad} and replace the Per-Request-Policy VPE variable with {perflow.scratchpad} # ACCESS::session data set {session.custom.cg_allow_access_to_url} "0" ACCESS::perflow set {perflow.scratchpad} "0" set user_roles [ACCESS::session data get {session.cg.user.roles}] foreach category [CATEGORY::lookup [ACCESS::perflow get {perflow.category_lookup.result.url}] -display custom] { # loop through matched categories if {$user_roles contains "|$category|"} { # users roles contain the allowed role # ACCESS::session data set {session.custom.cg_allow_access_to_url} "1" ACCESS::perflow set {perflow.scratchpad} "1" break } } } }
Linux CLI VPN Client - "Server certificate verification failed."
Hi all, We've recently gone live with our VPN (on v13 HF2) and some of our users have reported their having issues accessing the VPN from their Linux command line. On RHEL/Fedora, the VPN connection doesn't work. On Ubuntu, I can see the errors in the logs but it lets me through anyhow. After installing the package, they run the command to connect to the VPN: f5fpc -s -t https://ourvpn.com When querying how the connection went, I can see: f5fpc -i Connection Status: logon failed Server certificate verification failed. The certificate we're using is a properly signed QuoVadis cert. The ~/.F5Networks/standalone.log shows: 2017-07-24,14:39:27:019, 2839,2849,standalone, 0, /LinuxEventHandler.cpp, 924, , LinuxEventHandler::loadCAStore()- Using default Trusted cert store at=/etc/ssl/certs, for CA cert validation 2017-07-24,14:39:27:019, 2839,2849,standalone, 2, /LinuxEventHandler.cpp, 1052, LinuxEventHandler::verify_context_chain(), Server Cert chain is empty 2017-07-24,14:39:27:021, 2839,2849,standalone, 0, /LinuxEventHandler.cpp, 1063, , LinuxEventHandler::verify_context_chain() - X509_verify_cert(): verification error=2, string=unable to get issuer certificate 2017-07-24,14:39:27:021, 2839,2849,standalone, 48, /LinuxEventHandler.cpp, 68, CLinuxEventHandler::HandleEvent(), exit with, 0 2017-07-24,14:39:27:022, 2839,2849,standalone, 2, /USSLChannel.cpp, 312, USSLChannel::Write, SSL_write failed (result: -1, error: SSL_ERROR_SSL) 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UHTTP.cpp, 38, UHTTP::makeRequest(), EXCEPTION - send request error 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UHTTP.cpp, 115, , EXCEPTION caught: UHTTP::makeRequest() - EXCEPTION 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UFirepass.cpp, 679, UFirepass::doGetRequestWithoutRedirect, server returned HTTP code, return code, 0, -1 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 688, UFirepass::doGetRequestWithoutRedirect, (0x27) EXCEPTION - Channel error, 39 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 34, UChannelChain::~UChannelChain(), destroying channel 2. Stats (0) - Recv=3283 Send=524 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 34, UChannelChain::~UChannelChain(), destroying channel 1. Stats (0) - Recv=3283 Send=524 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 782, , EXCEPTION caught: UFirepass::getFirepassToken - EXCEPTION 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 911, UFirepass::DoPrelogon, Failed to obtain logon token: prelogon is not enabled or Firepass server has version below 5.5 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 55, UChannelChain::BuildChannels(), enter, 0x7: U_ENABLE_SOCKET_CHANNEL U_ENABLE_SSL_CHANNEL U_ENABLE_PROXY_CHANNEL 2017-07-24,14:39:27:022, 2839,2849,standalone, 48,,,, USSLChannel::USSLChannel:RAND_status(1) I've tried uploading the root/intermediate certificates to /etc/ssl/certs but still not luck. The workaround is to use the ignore certificate switch (-x) but I don't really want to do this. f5fpc -s -t https://ourvpn.com/ -x Any ideas?? Thanks, NickHow to add assign VPN IP based on AD group membership
Hi Team , How to configure a policy to allocate a different VPN subnet based on the AD membership . Exapmle : Users who are part of AD group US_AD_F5 should get IP from 10.10.10.0/24 Users who are part of AD group UK_AD_F5 should get IP from 10.10.20.0/24
