Release Notes : F5 Access for Android 3.0.9

Applies To:

Show Versions Show Versions


  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 11.6.4
Release Notes
Software Release Date: 07/01/2022
Updated Date: 08/30/2023


F5 Access version 3.0.9 for Android devices is now available. Users should install this new version from the app store. This release note contains information about the changes made for the current version only. Refer to the prior release note versions for additional information.


User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following page:

Features and enhancements

APM VPN proxy support on Android

With this release, proxy support is added for F5 Access Android client to make sure that traffic flows through the back-end proxy server. Administrator can configure the proxy settings on the BIG-IP. The configured proxy settings are shared with the client through the existing secured channel (URL) and applied the settings to the VPN framework. When the VPN connection is established, the traffic flows through the tunnel to the proxy server enhances the security while providing access only to the authorized websites.

If the existing Network Access proxy configuration is applied to all platforms, when users upgrade to F5 Access Android 3.0.9 version, they may see the traffic from Android clients routing through the proxy without any changes to the existing APM configuration. If you would like to apply the proxy configuration only for Android clients then create a separate Network Access configuration with the required proxy configuration as specified above and attach it to the access policy that applies to only Android clients.

F5 Access application is limited by what the Google VPN framework supports. Supported proxy related settings are either HTTP or HTTPS proxies using the pac file. When the proxy is applied through the VPN, it has been noticed that proxy.pac is applied system wide. Modify the pac file in case the proxy needs to be specific to spilt tunnel scope.

For more information, refer to the K08508310 article.

Note: Few applications may ignore the configured proxy settings. In such cases, contact the support team of the respective application for assistance.

Fixed issues


The following issue is fixed in this release:

ID Number Description
1090529 Applied the latest applicable OpenSSL patches to address CVEs.


Known issues


The following are known issues in this release:

Known issues in F5 Access


ID Number Description
451826 When F5 Access uses split tunneling for traffic, after establishing a VPN connection, all DNS queries are sent to the VPN-configured enterprise DNS server.
504685 F5 Access does not change to the Reconnecting state if the GTM server is down. Load balancing with GTM does not work.
624395 The web logon screen might disappear when you send F5 Access to the background after entering an RSA SecurID software token PIN.

Downloading a client certificate or token from an HTTP URL on Android 9 fails. This is because of the improved security imposed by Android.

Workaround: Use the HTTPS URL with a trusted CA to download the client certificate or token.


VPN connection fails to establish with FIPS mode enabled on certain devices.

Workaround: Disable the FIPS mode before establishing a VPN connection.

893345 F5 Access running on Android 10 does not send the device's IMEI number to the APM. If MDM is configured to have a dependency on the IMEI number, it would fail.

Workaround: Use MDM assigned unique device ID for identifying devices.

893349 F5 Access running on Android 10 sends incorrect wifi MAC address to the APM. Therefore, if MDM uses this address to query device compliance status from Intune, the query fails.

Workaround: Use MDM assigned unique device ID for identifying devices.

Known Issues in Third-Party Software


ID Number Description
574604 VPN connections repeatedly fail with the Thursby smart-card reader if you do not enter the smart card unlock PIN before the 30-second timeout has expired. This is caused by a known issue in Thursby SubRosa app.

Workaround: Force stop the SubRosa app, or reboot the device.

597826 F5 Access fails to read smart cards using Thursby smart card reader when running within Android for Work profile.
617631 When Always-On VPN Mode is enabled, a VPN connection is established, and a Network Access resource is configured to use split tunneling, resources from the split tunneling space can be successfully accessed using the managed application, but the managed application cannot access all resources outside of the split tunneling space.
620294 In Android 7.0 RC4, ciphers and SSLv3 are disabled for security reasons. AES ciphers must be enabled in the RSA Authentication Manager configuration for Dynamic Seed Provisioning (CT-KIP) to work on Android 7.0. For more details, see

Workaround: Follow the steps in the linked article to enable non-RC4 cipher suites.

634069 In most cases, when an Always-On VPN is disabled by the DPM (Device Policy Manager), the F5 Access VPN revokes if it is currently connected. In some corner cases, if F5 Access is not connected when, for example, the DPM enables Always-On VPN, but the connection doesn't start because of a misconfiguration, and the DPM then disables Always-On VPN, F5 Access won't be notified, and may continue to attempt to reconnect until the device is rebooted.
616957 If Always-On VPN mode is enabled for F5 Access by an MDM, and a force stop is done, F5 Access goes into the Disconnected state, and the user loses internet access through managed apps. F5 Access does not reestablish the VPN connection automatically.

Workaround: Restart the device to reestablish Always-On VPN mode. Another workaround is to disallow force stops in the MDM configuration, using DISALLOW_APPS_CONTROL.

617362 On some devices with Android 4.x, F5 Access Home screen icons might not get updated, and continue to show the older Edge Client icon. This is caused by Android issue 42921:
619106 On certain Android devices, F5 Access displays two icons in the notification area when connected to VPN. This behavior is by design.
629242 The RSA SecurID software token PIN setup might timeout if you do not provide a new PIN within the RSA SecurID token interval.
744854 Samsung devices provide a way to disconnect Always-On VPN through notification. As a result, when you terminate always-on VPN, the system revokes VPN permission for F5 Access. This prevents F5 Access from establishing a VPN connection.

Workaround: Uninstall and reinstall the F5 Access.

748960 There is no API to get the Chrome OS version when F5 Access for Android is running on Chrome OS. This being a Chrome issue is currently reported to Google and tracked through 881005.
748962 Always-On VPN can be turned off from the Chrome OS network settings. This action should not be allowed as it defeats the purpose of Always-On VPN. This issue is currently reported to Google and tracked through 881107.

Workaround: Do not turn off Always-On VPN in the Chrome OS network settings.

748963 When adding a new VPN configuration through the Chrome OS settings, the F5 Access home screen is launched instead of the Add Configuration screen.

Workaround: Navigate to the Add Configuration screen and add a new configuration. This issue is currently reported to Google and tracked through 881123.

748964 For F5 Access for Android on Chrome OS, the per-app VPN's feature to allow/disallow apps to bypass VPN connection is reserved. As a result, the disallowed apps pass through the VPN tunnel and allowed apps are blocked through the VPN tunnel. This issue is currently reported to Google and tracked through 883529.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.