Bug ID 532685: PAC file download errors disconnect the tunnel

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0

Fixed In:
12.1.0, 12.0.0 HF1, 11.6.1 HF1, 11.5.4 HF2

Opened: Jul 09, 2015
Severity: 3-Major

Symptoms

Any failure to download the proxy PAC file is treated as a fatal error. If the BIG-IP Edge Client fails to download the PAC file, the VPN connection cannot be established.

Impact

Tunnel disconnects in case of PAC file download errors.

Conditions

-- PAC file configured in the Network Access settings. -- PAC file cannot be downloaded by Edge Client.

Workaround

Fix infrastructure issues that result in PAC file download failure.

Fix Information

PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called 'Ignore Client Proxy Autoconfig Script Download Failure' in BIG-IP 12.1.0 and later. For other fixed versions (12.0.0 HF1, 11.6.1 HF1, 11.5.4 HF2), the fix is implemented using the Visual Policy Editor (VPE). This bug's Behavior Change section contains a procedure for using VPE to add a Variable Assign policy item in the access policy.

Behavior Change

The BIG-IP APM SSLVPN Client has the ability to download and merge remote proxy PAC files to facilitate browsing via proxy while preserving the security posture defined in the Network Access settings. Previously, problems in this process were always considered critical errors. These critical errors would cause BIG-IP Edge Client to disconnect the tunnel because the security settings could not be correctly applied. However, in some deployments it is expected that the PAC files and their security settings are configured but unavailable (404, DNS or routing trouble, etc). In this situation the desired behavior is for the client to ignore the problem and continue as if the proxy PAC was not configured at all. In v12.1.0 or later, this behavior is controlled by a new setting called 'Ignore Client Proxy Autoconfig Script Download Failure' on the BIG-IP system. For other fixed versions (12.0.0 HF1, 11.6.1 HF1, 11.5.4 HF2), the fix is implemented using the Visual Policy Editor (VPE) to add a Variable Assign policy item in the access policy. To do so, perform the following procedure: 1. Log in to the Configuration utility. 2. Navigate to Access Policy :: Access Profiles :: Access Profiles List. 3. For the access policy you want to configure, click Edit. 4. In the VPE, at the point in the access policy where you want to insert the Variable Assign agent, click the Add icon (+). 5. Click the Assignment tab. 6. Click Variable Assign and click Add Item. 7. Click Add new entry. 8. Click change next to empty. 9. In the left list, click Configuration Variable. 10. For Type, click Network Access. 11. For Name, click the appropriate network resource. 12. For Property, click client_proxy_settings. 13. In the right list, click Custom Expression. 14. In the Custom Expression box, enter the following syntax: {<client_proxy_settings><client_proxy_ignore_auto_config_error>0</client_proxy_ignore_auto_config_error><client_proxy_script>http://example.com/proxy.pac</client_proxy_script><client_proxy>yes</client_proxy></client_proxy_settings>} Note: Replace http://example.com/proxy.pac with the actual URL of your server where the PAC file is located. 15. Click Finished. 16. Click Save. 17. Click Apply Access Policy. 18. Click Close.