Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Big-IP Edge Client / Windows 10 1809 - No internet connection with connected VPN

Hi everybody

I've updated my computer to Windows 10 Build 1809: Image Text

After a successfull connection with Big-IP Edge Client VPN the internet connection is broken. Ping to Google DNS servers with connected VPN: Image Text

We have configured Network Access with "split tunneling". The very same VPN worked perfectly with the previous build of Windows 10 (1803).

Version of VPN client: 7160,2018,417,2013 Image Text

Does anyone run into the same problem?

Thank you, John

0
Rate this Question
Comments on this Question
Comment made 2 months ago by jone14 14

I just tested with the latest version of the Big IP Edge client (7171.2018.808.2011). Same behavior, it doesn't work either.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Yes, SSL F5 VPN doesn't work on Window 10 1809 machine.Logged a call with F5 support and they advised below '' At the moment the reported issue is escalated to our Product Development team. New software defect ID745498 with a title "[Windows RS5]OS doesn't using default route 0.0.0.0/0.0.0.0 if config with split tunnel" was created to track that issue. ''

Tested on one of window machine 1809 and it seems working.

Route print -p 0.0.0.0 netmask 128.0.0.0 default gateway Route print -p 128.0.0.0 netmask 128.0.0.0 default gateway

But ,This is not the fix, but the workaround while the issue is being analyzed by F5 product developers.

0
Comments on this Answer
Comment made 2 months ago by jone14 14

Thank you for the useful information! I hope, we will get a fix soon..

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

NasimMalik, did you say you have found a workaround for this? Your comment suggests as much, but there is no info on what you did.

1
Comments on this Answer
Comment made 2 months ago by Toby Garcia

Looks like a known issue article has been published. Per the article, the workaround is to force all traffic through the tunnel (i.e. disable split tunnel).

https://support.f5.com/csp/article/K18448121

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Below are workaround instructions that worked for me as an end user. This is not intended as central workaround a for a multi-user deployment.

  1. Start cmd as administrator. One way to do this is

       win+r
       cmd
       ctrl+shift+enter
    
  2. Find the Gateway ip address for your Internet connection using the route print command in the administrator command prompt. You'll find it in the first entry in the IPv4 Route Table where Network Destination is 0.0.0.0 and the Netmask is 0.0.0.0. You will use the Gateway ip address in the next step. The following step assumes that the Gateway ip address is 192.168.1.1

        route print
    
  3. Enter the following commands to route Internet traffic through your Internet connection's gateway. Use your gateway's IP address for the last address in the following commands. The first two commands make certain that the appropriate entries exist and may generate a benign error message.

        route add 0.0.0.0 mask 128.0.0.0 192.168.1.1
        route add 128.0.0.0 mask 128.0.0.0 192.168.1.1
        route change 0.0.0.0 mask 128.0.0.0 192.168.1.1
        route change 128.0.0.0 mask 128.0.0.0 192.168.1.1
        rem  hit enter to make certain that the prior command is executed
    
1
Comments on this Answer
Comment made 2 months ago by NasimMalik 68

Hi Chris,

Great, but could we apply this workaround to large scale (I mean to say a organisation who has more than 100 sites and each site has own default gateway) ?

  1. Secondly, if just BEACUASE OF THIS FEATURE UPDATE we force all traffic to tunnel( internet and Corporate ) then 1. we are not using F5 as split tunnel feature 2. before enable do we need to know which F5 model can able to handle all traffics ?
0
Comment made 2 months ago by Chris T 21

This workaround is for an end client and is not for a multi-user deployment. I just needed it to work for me. I'm not an administrator and not able to recommend a workaround for a multi-user environment.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Update: F5 VPN with split tunnling is working again with Windows 10 Insider Preview 18272.1000.

I think there is a good chance that Microsoft will include this fix in the next official cumulative update.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I encountered a similar issue today after receiving the 1809 update yesterday. I have no Internet access when the VPN is connected. I haven't found a workaround.

Any workaround is appreciated.

0
Comments on this Answer
Comment made 2 months ago by Chris T 21

There's a Knowledge Center article describing this issue and a workaround. As an end user I don't have the configuration utility that is mentioned.

https://support.f5.com/csp/article/K18448121

0
Comment made 2 months ago by Toby Garcia

If you're an administrator on the device, you may be able to update add a static route to force traffic through the tunnel. But that won't work if the access policy is setup to drop the connection if the routing table changes.

In that case, your APM admin must update the policy with the workaround.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Chris, Please see below the latest update from F5 support. Hello Nasim.

Thank you for an update. Yes, the workaround should work.

I don't have right now much info about the bug details and when the permanent fix is ready. Currently, I'd recommend not moving other machines which normally use SSL VPN to release 1809 until the fix is ready. For those machines which have been already moved to 1809, you can use the mentioned workaround.

1803 (RS4) version shouldn't be affected by the mentioned bug but you can double-check.

Windows 10 version history https://en.wikipedia.org/wiki/Windows_10_version_history

I propose the following -> you will fully test the workaround and update me; from my end I will monitor the bug related updates (it is being handled with high priority by our product developers) and when I have something I will let you know.

I haven't tested it to windows 1803 version and as it looks to me as temporary fix and hard to implement on large scale.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Sorry to mention the whole process of this temporary work around.

Here you go.

On each affected PC split the default gateway for two routes:

Step : 1 delete 0.0.0.0/0,

Step: 2 ( add 0.0.0.0/1 and 128.0.0.0/1) I applied below command.

Route print -p 0.0.0.0 netmask 128.0.0.0 default gateway (Ip address of your default gateway) Route print -p 128.0.0.0 netmask 128.0.0.0 default gateway(Ip address of your default gateway)

I hope, this temporary workaround can fix the issue. Thanks

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi all, Is this something we could cure using a different version of APM [i.e 13.1.1 or v.14]?? I am on version 13.1.0.3

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We have some users on windows build 1809, and experiencing issues as can't go to the internet while on the F5-VPN. On our APM policy, routing changes while on the VPN are not allowed and drop the connection. So if we can not change the routing table on the desktop as workaround, Can the Windows 10 be upgraded or downgraded to a newer or older version far from 1809 build? How ease or difficult is this?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Same problem. Cannot be on VPN without losing internet connections due to split tunnel set by my admins. I am not an admin so cannot change the settings to rout all traffic as suggested above. Microsoft is not able to help me, and in fact does not admit to knowing about the problem!! Any suggestions as to how to contact f5?

0
Comments on this Answer
Comment made 3 days ago by jone14 14

Hi rapopd,

The problem is known by Microsoft. See https://support.microsoft.com/en-us/help/4464619/windows-10-update-history. This article says that Microsoft is working on a resolution and will provide an update in an upcoming release.

So hopefully it will be fixed in the december cumulative updates (coming next week).

0
Comment made 3 days ago by rapopd 1

At present, the link describes the problem (Nov 14) but the suggested workaround is to force all tunneling to one channel. This is not an option for my organization, so there is no present workaround. And microsoft support denies knowing about the problem when I called them to find out if there was any progress! So I guess the only solution is to patiently suffer an wait for them to issue a release that miraculously makes the problem go away.

0