Forum Discussion

Henrik_S's avatar
Henrik_S
Icon for Nimbostratus rankNimbostratus
Aug 26, 2016

APM - IOS 9.3 per-app-VPN - no traffic through tunnel?

Hello,

 

We are trying to configure mobile phones with Airwatch to use per-app-VPN. First of all, everything works great with a manual VPN connection through the edge client, or a global on-demand VPN connection pushed by Airwatch.

 

However, if we modify the VPN profile with per-app-vpn and push an application set with use-VPN and the correct VPN profile.

 

The application will successfully start the VPN on launch, and we see the session as connected with traffic in and outbound undre "manage sessions", but we cannot see any traffic on the connectivity interface or egress interface on the BIG-IP using tcpdump, and therefore the application will not connect to any services.

 

-BR HS

 

APM
application delivery

2 Replies

Sort By
  • Henrik_S's avatar
    Henrik_S
    Icon for Nimbostratus rankNimbostratus
    Aug 29, 2016

    We have performed some more troubleshooting. All in all, we have been able to successfully connect a per-app-vpn session, but there are is a big lack of documenation on how the SOCKS Proxy is implemented and what limitations that are in place.

     

    For instance: It seems that we are unable to leverage route domains on per-app-vpn, while on-demand-vpn works? It seems that we are unable to leverage lease pool with proxy arp on per-app-vpn, while on-demand-vpn works? It seems that if we select AutoMap, then the BIG-IP will use it's non-floating SelfIPs as SNAT addresses..

     

  • Henrik_S's avatar
    Henrik_S
    Icon for Nimbostratus rankNimbostratus
    Aug 30, 2016

    Just a follow up. We managed to solve this by the help of our local PSE.

    1: Route domains are supported, though the route domain must have strict isolation disabled.
2: Lease pool and proxy ARP is not a supported configuration since this does not work with a SOCKS proxy.
3: SOCKS proxy will use non-floating SelfIPs if automap is enabled, but you can also use snat pool with member IPs in the corresponding selected route domain.