Hello all, I'm having trouble getting on-demand VPN to work for iphones/ipads. I have setup the VPN profile and when manually connecting to the profile from my iphone all works fine. Instead of a cert auth on the APM, I am doing a UID check for the mobile device. However a cert is installed on the mobile device in order to enable the on-demand mode. However I cannot get the on-demand portion to work. I have put relevant domain names in to the "Always Connect" configuration in the edge client. When I browse the domains on safari, the VPN profile does not kick in. For domains directly accessible, the browser loads it. For domains on subnets behind the F5 requests timeout. The APM log shows nothing is happening during the on-demand hostname requests. Is there some special setting I am missing? Any suggestions are welcome.. Many thanks! Chaminda

Starting from iOS7 the Always Connected mode works as Connect If Needed. So, if host name can be resolved without VPN, then VPN won't be established. Even if host is not available directly, but it's name is resolvable then VPN won't be established. Another reason of the fault is the required interaction. Untrusted server certificate, for example. You can set nonexistent domain and try to navigate Safari to it. If VPN is established, then you domains are resolvable directly and nothing to do. It's expected behaviour. If not, then interaction is assumed and you have to figured out the cause of it.

Thanks Alexey. As per my understanding, the user puts a "if needed" domain in safari, which cannot be resolved. But as the domain is included in the "if needed" list on a VPN profile in the F5 edge client, the edge client should start establishing the VPN process. However I am not seeing any traffic on the APM log at all. All goes well if I manually enable the VPN. What am I missing?

As Alexey suggested, have you verified the cert? Is it trusted? You can connect the iPhone to a computer iPCU, and check the console logs for further troubleshooting.

iOS edge client not kicking off a VPN for on-demand mode.

9 Replies

Mike_61719
Cirrus
Jul 25, 2014
Have an example domain?
Alexey_384
Historic F5 Account
Jul 26, 2014
Starting from iOS7 the Always Connected mode works as Connect If Needed. So, if host name can be resolved without VPN, then VPN won't be established. Even if host is not available directly, but it's name is resolvable then VPN won't be established. Another reason of the fault is the required interaction. Untrusted server certificate, for example. You can set nonexistent domain and try to navigate Safari to it. If VPN is established, then you domains are resolvable directly and nothing to do. It's expected behaviour. If not, then interaction is assumed and you have to figured out the cause of it.
- chamindak_11539
  Nimbostratus
  Jul 28, 2014
  Thanks Alexey. As per my understanding, the user puts a "if needed" domain in safari, which cannot be resolved. But as the domain is included in the "if needed" list on a VPN profile in the F5 edge client, the edge client should start establishing the VPN process. However I am not seeing any traffic on the APM log at all. All goes well if I manually enable the VPN. What am I missing?
- Mike_61719
  Cirrus
  Jul 28, 2014
  Can you please provide a few sample domains? It would help us provide you with the information needed. Are you noticing any pre-logon checks taking place? Example: If your browser can resolve abc.com, the VPN won't kick in. If your browser cannot resolve abc.com and it's on the list to connect, the VPN will kick in. If your browser cannot resolve abc.com and it's not on the list to connect, the VPN won't kick in. I had some issues before and I think it's a bug with the software, it should always utilize the VPN if it's in the configuration list.
- kunjan
  Nimbostratus
  Jul 29, 2014
  It's not a software bug. iOS7 onwards apple don't support onDemand VPN. It fall backs to 'if Needed'. http://support.apple.com/kb/TS4550
  
  The new method is to use onDemand rules, but have to use MDM or editing of profiles
  
  https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html//apple_ref/doc/uid/TP40010206-CH1-SW27
kunjan_118660
Cumulonimbus
Jul 28, 2014
As Alexey suggested, have you verified the cert? Is it trusted?

You can connect the iPhone to a computer iPCU, and check the console logs for further troubleshooting.
- chamindak_11539
  Nimbostratus
  Jul 31, 2014
  Thanks for the comment guys, having to put this on the back burner for a bit. The cert is not trusted (self signed), but I'm not really looking for a cert match, rather hoping to use a MAC address match to the MDM. When I get a bit more time I will proceed with Kunjun's troubleshooting advise
kunjan
Nimbostratus
Jul 28, 2014
As Alexey suggested, have you verified the cert? Is it trusted?

You can connect the iPhone to a computer iPCU, and check the console logs for further troubleshooting.
- chamindak_11539
  Nimbostratus
  Jul 31, 2014
  Thanks for the comment guys, having to put this on the back burner for a bit. The cert is not trusted (self signed), but I'm not really looking for a cert match, rather hoping to use a MAC address match to the MDM. When I get a bit more time I will proceed with Kunjun's troubleshooting advise

Forum Discussion

iOS edge client not kicking off a VPN for on-demand mode.

9 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

APM Cookbook: On-Demand VPN for iOS Devices

On Demand VPN sur iOS

Enhance your Application Security using Client-side signals

F5 Friday: Domain Sharding On-Demand

F5 on demand Video – Synthesis