Manual Chapter : APM Client Release Notes 7.2.7.1

APM Client Release Notes 7.2.7.1

BIG-IP Edge Client establishes secure communications to applications and networks. It provides users with full access to IP-based applications, resources, and intranet files as if they were physically working on the office network. This release note contains information about the changes made for the current version only. Refer to the prior release note versions for additional information.

The Edge Client version 7.2.7.1 is now available on MyF5.com (under the APM Clients container). For download instructions, refer to the K000090258: Download F5 products from MyF5 article.

Note: In APM Client 7.2.7.1, a new redesigned Linux VPN client is introduced that replaces the traditional Linux Web VPN Client. For more information, refer to K000162241.

The following table contains APM client 7.2.7.1 versions for different operating systems:

APM Clients version BIG-IP Edge Client Windows version Mac F5 Access version Mac Edge Client version Linux version
apmclients-7271.2026.707.2254-7666.0.iso 7271.2026.707.2254 7271.0.4.0 7271.2026.0707.1 7271.0.0.4

Important:

  • F5 announced the discontinuation of 32-bit Linux support in the APM Edge Client Compatibility matrix. In the next major APM Clients release, F5 will remove 32-bit binaries from client ISO images. For more information, please refer to K000157971: End of technical support for BIG-IP APM network access, VPN Linux 32-bit client OS.
  • Going forward, F5 Access for MacOS will be released along with APM Clients releases and introduces changes to deployment workflow and versioning. For more information on this change, refer to K000152992.

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:

No new features in this release.

The following are the fixes in this release:

ID Number Component Description
750648-1 Windows Edge Client Fixed the issue where an additional icon was displayed on the Windows Network sign-in logon screen.
2301441 Windows Edge Client Fixed the issue where the route metric increases when the client is in the full-tunnel VPN mode and Allow Local Subnet is enabled.
1265481 macOS Edge Client Fixed the issue where the uninstallation log did not include sufficient details for troubleshooting.
1234957 macOS Edge Client Fixed the issue where Edge Client installation was failing due to an issue with the uninstallation script.
2339809 MachineTunnel Service Fixed an issue where the Machine Tunnel service encountered an AV crash while closing an SSL connection when DNS or Socket connection failed.
1578501 macOS Edge Client Fixed the VPN connection issues when the default browser is used, and Endpoint Inspection (EPI) is configured on macOS Edge Client. Note: You must update the iFiles and iRules downloaded from F5 Downloads for the 7.2.7.1 release.
1965529 macOS F5 Access Fixed the issue where endpoint inspections are evaluated multiple times when configured for more than one platform.
2151801 Machine Tunnel Service Fixed the issue where the Machine Tunnel didn’t start after the system resumes from sleep.
2221225 Windows Edge Client Fixed the issue where the syntax of the PAC file was incorrect.
2229973 macOS Edge Client Fixed the Python vulnerability (CVE-2021-3737) in macOS Edge Client by upgrading Python to v3.9.13.
2230585 Windows Edge Client Fixed a crash in Windows Edge Client when proxy is enabled and the device comes out of hibernate mode on slow networks.
2257005 Windows Edge Client Fixed the issue where Windows Edge Client NLA didn’t work, and VPN was not established on remote networks when Machine Tunnel is deployed.
2263861 macOS Edge Client The Edge Client icons have been replaced with F5 logos. For more information, refer to K000162206.
2264329 Windows Web VPN Client The Windows Web VPN Client could process content in a way that did not align with current security best practices. The Windows Web VPN Client has been updated with additional security hardening to improve content handling and align with current best practices.
2284993 Machine Tunnel Service Fixed the issue where Machine Tunnel Service authentication was failing when Client Cert inspection or On-Demand Cert inspection is configured in the access policy. Client certificate inspection logic is now available for the Machine Tunnel Service.
2288553 Windows Edge Client Fixed the issue where auto-upgrade was failing when certificate authentication is configured in the Client SSL profile with TLS 1.3 enabled. Note: Upgrades from 7.2.7.1 to later versions will be successful. However, the auto-upgrades to 7.2.7.1 would still fail.
2294005 Windows Web VPN Fixed the issue of Windows Web VPN connection failure when manual proxy setup is configured.
2294565 Windows Edge Client Fixed the issue where Windows Edge Client incorrectly reported the user agent string. The updated HTTP handling now sends the correct user-agent string as follows: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko EdgeClient/7271.2026.0627.1400
2333245 macOS Edge Client Fixed the issue where browser-based VPN auto-upgrade failed from 7.2.7.0 to later versions. For more information, refer to K000162208.
Note: Upgrades from 7.2.7.1 to later versions will be successful. However, the auto-upgrades to 7.2.7.1 would still fail.
2227417 Windows Edge Client Fixed the issue where IPsec VPN connection details were not displayed on the Windows Edge Client.
2227393 Windows Edge Client IPsec VPN connection now works as expected when multiple certificates from different issuers are installed.

Following are the Known Issues.

ID Number Description
2225353 The Windows Edge Client taskbar icon is not getting updated to the new F5 logo when the application is pinned to the taskbar.
2390025 PQC is not supported for control plane HTTPS traffic in Linux Web VPN client.
2390029 VPN connection fails intermittently in Ubuntu 26.04 when the recurring check is configured.
2380073 In IPsec VPN split tunnel configurations, networks configured in the include list are not displayed in the routing table after a VPN connection is established. The backend networks remain reachable even though the route entries are not populated. Workaround: Reconnect to the VPN to resolve this issue.
2383045-1 IPsec VPN connection fails to establish when multiple certificates with the same CN/SAN but different Issuer ID are installed on Windows.
Workaround:
- Remove certificates that share the same CN/SAN but have different Issuer IDs.
- Use certificates with unique CN/SAN names to avoid conflicts.
2251413 On macOS Edge Client, the UI continues to display the status as “Connecting” even after the VPN connection is successfully established. Workaround: Disconnect and reconnect from Edge Client.
2224925 When the client machine has multiple valid certificates for client certificate inspection, the Windows Edge Client will prompt the user with a dialog box to select a certificate from the list of matching certificates each time a VPN session is initiated.
2162537 Microsoft’s Trident engine (Embedded Browser) does not support PQC MLKEM ciphers. As a result, any HTTPS requests initiated by Trident will not use PQC MLKEM ciphers during the TLS handshake. This affects the following scenarios: Edge Client: When configured to use the embedded browser for user authentication, all HTTPS requests initiated from the Trident engine will not support PQC ciphers. This limitation is limited to authentication (using the embedded browser). To overcome this limitation, system’s Default Web Browser can be configured for user authentication.
Web VPN: Web VPN uses Trident to render the VPN connectivity UI. UI related HTML file requests (/vdesk/resource_all_info.eui, webtop_resource_inner.eui) and subsequent requests such as CSS or JS files and timeoutagent-i.php initiated by the Trident engine will not use PQC ciphers.
Windows Pre-Logon: Similar to Edge Client, when Pre-Logon uses the embedded browser for user authentication, HTTPS requests from this engine will not support PQC ciphers.
Note: These limitations do not affect the Machine Tunnel client. VPN tunnel establishment of all the Windows Clients is unaffected by the Trident limitation.
1079621 When the application is moved to the trash, the respective application F5 EPI or F5 VPN directory is getting deleted from the following path:
/Applications/F5 Endpoint Inspector.app/Contents/Resources/ Whereas, the respective application specific (F5 EPI or F5 VPN) folder is not getting deleted from the following path:
/Users/<username>/Library/Applications Support/F5 EPI The plist file of the respective application is not deleted from the following path: /Users/<username>/Library/Launchagents/
Workaround: If you are running MacOS Version 12.2 or later
1. Upgrade to the latest build and verify the applications are recent: /Applications/F5\ VPN.app /Applications/F5\ Endpoint\ Inspector.app
2. Delete the following LaunchAgents: ~/Library/LaunchAgents/com.f5.f5epihelper.plist ~/Library/LaunchAgents/com.f5.f5epihelper.plist
3. Delete the following python scripts: ~/Library/Application\ Support/F5\ VPN/uninstall.py ~/Library/Application\ Support/F5\ EPI/uninstall.py
4. Reboot the device to remove the Launch agents in memory.
1082821 When trying to establish a VPN connection using a browser, it does not work with TLS 1.3 on all versions of macOS. Workaround: Enable other versions of TLS to allow the browser to fallback to any other versions of TLS protocol.
1082825 When trying to establish a VPN connection using a browser, it does not work with TLS 1.3 on Linux. Workaround: Enable other versions of TLS to allow the browser to fallback to any other versions of TLS protocol.
1084369 Optimized tunnels are not supported on ARM64-based Windows 10 and Windows 11 systems. When Optimized tunnels are used, the tunnel connection fails without user notification. Workaround: In some cases, use a static app tunnel to establish a tunnel connection.
1194381 An intermittent issue is observed when Edge Client on Windows fails to reconnect if the LAN cable is unplugged when the system is asleep.
Workaround 1: Add the Virtual Server FQDN to the stonewall exclusion list on BIG-IP.
Workaround 2: The LAN cable should be unplugged from the Windows system prior to hibernation if the user does not want to continue with LAN connectivity after coming out of hibernation.
Workaround 3: If step 1 is missed or skipped, and faces the Edge Client reconnect issue after coming out of hibernation then the Ethernet cable must be plugged into the Ethernet port on the Windows system. If there is no Ethernet cable, restart the Edge Client application.
1239253 Web F5 VPN will not be launched if certain versions of Ubuntu on ARM64 do not have the /lib/aarch64-linux-gnu/libpcre16.so.3 library installed.
Workaround: Users who want to use web F5 VPN on certain versions of Ubuntu running on ARM64 which do not have /lib/aarch64-linux-gnu/libpcre16.so.3 should install libpcre16-3 using one of the following commands. sudo apt install libpcre16-3 or sudo apt-get install libpcre16-3
1295133 Edge Client users are prompted to install the Endpoint Inspection (EPI) helper applications on macOS 13.3. Workaround: Preinstalling the latest EPI helper application would resolve the issue. For more information on the deployment process, refer to the Install the latest Edge Client on MacOS end devices section of the K000133476 article. For more details on the user experience changes, refer to the K000133622 article.
1324053-1 Users experience a one-time issue on Windows and MacOS as Edge Client configuration settings which were defined in the client.f5c are overwritten with the settings defined in the config.f5c when the auto-upgrade is enabled. This issue would not be seen when users upgrade from APM Clients 7.2.4.3 version to the future versions. Workaround: Administrators can define the desired configuration, especially the APM virtual server list in the config.f5c before the upgrade so that the Edge Client Installer copies the settings to the client.f5c file. Generally, the config.f5c file is available in the following directory path: Windows: C:\ProgramData\F5 Networks\Secure Access Client or C:\Program Files (x86)\F5 VPN MacOS: /Library/Application Support/F5Networks
1581041 The Show IP configuration and Show routing table buttons do not work for the F5 VPN window on the Mac Platform after the QT upgrade of APM clients. You can use the following command line tools to view the network configurations: /sbin/ifconfig /usr/sbin/netstat -rn /usr/sbin/scutil –dns
1615801 If the VPN connection is made from Windows 11 machines with WebVPN or Edge Client with Default Browser Authentication enabled, BIG-IP shows the wrong session.client.platform value.
1628533-1 Windows Logon Credentials feature does not work in Windows 11 24H2. Users cannot connect to Edge Client automatically as the prompt is displayed to specify the credentials.
1678473 Auto-upgrades of Windows Clients (Web EPI, Web VPN, and Edge Client) without Component Installer service fails. Workaround: 1) Re-install the Windows Clients (or) 2) Upgrade to 7248 GA build (apmclients-7248.2024.910.609-6452.0.iso) before upgrading to 725x or later.
1697301 On a Windows 10 machine, unable to establish VPN Connection with EdgeClient, WebVPN, Machine Tunnel, and Custom Dialer using TLS1.3. Workaround: 1. Upgrade Windows 10 to Windows 11 or 2. Establish a VPN connection with TLS1.2