F5 apm ACL ACES bypassed

Hello folks!

I'm having strange problem on one of our BigIP with SSL VPN. We are using APM to provide SSL VPN and assign ACL to control user behavior on L4. In access policy we authenticate user against LocalDB or AD auth and then assign full webtop, network access and static ACL. User can connect to VPN, split-tunneling working fine but it seems that ACL is completely bypassed. Doesn't matter if it deny any or permit any it's havent effect at all. No packets logged via ACL. I tried change ACL order, reload BigIP box, restarted apd after acl created, updated to new version but nothing helps.

By the way, if user will connect to APM via Browser, and will try to use Portal access he will get - access denied but if from the same browser he will establish network tunnel - acl will not work.

Our BigIp is 11.5.1 HF5.

Where we should find our problem ?

application delivery

BIG-IP Access Policy Manager (APM)

kunjan_118660
Oct 27, 2014
It seems like some other VS is catching the traffic instead of internal built-in APM virtual(_tmm_apm_fwd_vip).

Try to do a tcpdump (tcpdump -ns0 -i 0.0:nnn) which can verify this.

I guess you also might see the problem of ACCESS_ACL_ALLOWED event not triggered because of this issue.

15 Replies

Arnaud_Lemaire
Employee
Oct 23, 2014
Hello, are you sure that traffic is going through the SSL VPN tunnel ? maybe you have an issue with your split tunneling and user is going through default gateway ?
scorpa_121336
Nimbostratus
Oct 23, 2014
Yes, i'm sure.

For example if we have phone with edge gateway, you cannot ping internal resources obviously, but after tunnel has been established - you can reach anything except resources on port 80... And by the way, if i understand correctly ACL should work before traffic will be routed via F5 so in any case traffic must be processed by acl but it's not.
scorpa_121336
Nimbostratus
Oct 23, 2014
In this article https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_resources.html147263

I should create:

With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access

But there is no explanation how to create this "second virtual server", For example in Standard virtual server there is no option to choose "access" profile in access policy segment.
Arnaud_Lemaire
Employee
Oct 23, 2014
Nope, you don't need anything more in APM configuration nor LTM. Just applying the ACL in VPE resources.

could you give us a screen shot of your ACL and verify what is in you resource assign ?
scorpa_121336
Nimbostratus
Oct 23, 2014
Nothing special in my policy.

I'm able to see assigned ACL in log and in session variables.

But tmsh show apm acl prints nothing ...
scorpa_121336
Nimbostratus
Oct 27, 2014
Hello again !

May be some one have any ideas ?

I tried to upgrade software - no effect. It seems it's not bug, something in settings but where should i look...
kunjan
Nimbostratus
Oct 27, 2014
It seems like some other VS is catching the traffic instead of internal built-in APM virtual(_tmm_apm_fwd_vip).

Try to do a tcpdump (tcpdump -ns0 -i 0.0:nnn) which can verify this.

I guess you also might see the problem of ACCESS_ACL_ALLOWED event not triggered because of this issue.
- scorpa_121336
  Nimbostratus
  Oct 27, 2014
  I found, it's Wildcard_Forwarding_vs which is created for forwarding from 0/0 to 0/0. We need to forward traffic from servers behind F5 to another locations, thats why this server had been created. How we can forward traffic on F5 like on any other router and provide ACL to VPN users ?
- scorpa_121336
  Nimbostratus
  Oct 27, 2014
  Ok, sorry for this silly question :) I disable Wildcard forwarding server on SSL VPN cp tunnel, and ACL in force again. Thank you for your help !
kunjan_118660
Cumulonimbus
Oct 27, 2014
It seems like some other VS is catching the traffic instead of internal built-in APM virtual(_tmm_apm_fwd_vip).

Try to do a tcpdump (tcpdump -ns0 -i 0.0:nnn) which can verify this.

I guess you also might see the problem of ACCESS_ACL_ALLOWED event not triggered because of this issue.
- scorpa_121336
  Nimbostratus
  Oct 27, 2014
  I found, it's Wildcard_Forwarding_vs which is created for forwarding from 0/0 to 0/0. We need to forward traffic from servers behind F5 to another locations, thats why this server had been created. How we can forward traffic on F5 like on any other router and provide ACL to VPN users ?
- scorpa_121336
  Nimbostratus
  Oct 27, 2014
  Ok, sorry for this silly question :) I disable Wildcard forwarding server on SSL VPN cp tunnel, and ACL in force again. Thank you for your help !
Pratik_125797
Nimbostratus
Jun 10, 2015
I guess once the user is authenticated and is sitting on allow branch the ACLs are not executed on every request. Probably the traffic needs to be controlled by the firewall. I am facing the same issue, please let me know if anybody has a solution.
boneyard
MVP
Jun 14, 2015
i would advise you to start a new question and provide some more info, version, example of your APM, order of your ACLs, ...

it seems the original question was solved due to another virtual server being used, is that not the case with you?