Release Notes : F5 Access for iOS 3.0.8

Applies To:

Show Versions Show Versions


  • 16.1.0, 16.0.1, 16.0.0, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3, 11.6.4
Release Notes
Updated Date: 09/22/2021


In July 2021, Apple posted the release of F5 Access for iOS 3.0.8. Users should download this new version from the app store.


User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following page:


Features and enhancements

postlaunch_url parameter support when using "create" and "start" endpoints
F5 Access for iOS now supports using the postlaunch_url parameter when defining a server or stopping a connection. The postlaunch_url parameter can be added to the f5access create and stop command when using the URI scheme. Previously, you could only use the parameter with the start command to launch a specified URL after starting the VPN connection. The new feature would allow F5 Access for iOS to integrate with Mission-Critical Push-to-Talk (MCPTT) applications.


iOS SDK 13 and swift version 5 support
The Apple App store does not support apps build with SDK versions lower than 13. With this release, F5 Access for iOS has been upgraded to the SDK 13 and swift version 5 to support iOS v13, v14, and later. As a result, the app can now be successfully uploaded to the App store.


The following issues have been fixed in this release.

ID number Description

Previously, on iPadOS 13.0 or above, when users imported a certificate from an email attachment using the Mail app, the import failed with the following error message:

Cannot import because the content type is not supported.

This issue has been fixed, and now users can import a .pfx file certificate using share from the mail app.
Note: Certificate files cannot be imported from the Safari browser using the share option with the F5 Access app.

Workaround 1: Send the certificate to a Gmail address.

  1. Generate the certificate in a .pfx format.
  2. Send it as an attachment to a Gmail address.
  3. On the iPad, open the email using the Gmail app, tap, and press the attachment until some options appear.
  4. Choose the share option and share it with the F5 Access App.

    The certificate imports successfully, and you can view it in Settings > Support > Manage Certificates .

Workaround 2: Add the certificate on a web server that F5 Access can access via a URL. Use the F5 Access App to import the certificate using Settings > Support > Manage Certificates > Import Certificate .

Workaround 3: Use MDM to push certificates along with the VPN profiles. Contact your MDM vendor for details.

Workaround 4: Use Apple Configurator available in the App store to create a VPN profile with certificates for distribution.


Previously, F5 Access running on iPhone or iPad devices identified themselves as “iOS” device (session variable session.client.platform is populated with “iOS” string); from this version F5 Access running on iPadOS, identifies itself as “iPad” (session variable session.client.platform will be “iPad”).

If access policy has Client OS checking agent and distinguishes iOS devices, follow the steps below to re-configure the agent:

  1. In the Visual Policy Editor, navigate to the Client OS agent.
  2. In the Branch Rules tab, click change for iOS branch.
  3. In the Advanced tab, replace the existing sting with the new string :

- Existing string: expr {[mcget {session.client.platform}] == "iOS"}

- New string: expr {[mcget {session.client.platform}] == "iOS" || [mcget {session.client.platform}] == "iPad"}

Known issues

The following are known issues in this release.

ID number Description
504919 F5 Access does not resolve the BIG-IP APM hostname each time it reconnects after the connection is broken. This limits the use of load balancing with BIG-IP DNS as it keeps using the same IP address for the connection.
557905 On iOS 9, if a managed app is being updated while per-app VPN is active, the updated app might not make use of the active session until the active session is expired and a new one is created. As a workaround, wait until the current session expires, and restart the updated app.
587775 F5 Access for iOS may frequently sleep/wakeup VPN plugin in the sleep mode of the device and send DNS queries every 10 seconds to a few minutes. This causes the APM session to be alive using additional resources. The issue was reported to Apple and is tracked through 48529129.
612629 In F5 Access for iOS 10, all F5 Access configurations are not displayed in the Notifications pane. When you slide down to see notifications, only the first six configurations are displayed. When you slide left to see notifications, only the first eight configurations are displayed.
612767 On an iOS 10 device with F5 Access and cellular data enabled, if the virtual server for the Network Access connection becomes unavailable, F5 Access shows an error message after the timeout duration is reached and remains Disconnected for 15-20 seconds. On iOS 9, the Disconnected state is reported immediately after the timeout.
641514 F5 Access 2.1.0 and later has an option to use local authentication before using the cached password. When you connect to the VPN from the widget screen (pull-down) while the device is in a locked state, then after local authentication, F5 Access is stuck in "contacting" state and remains Disconnected. This happens because the widget screen moves to the background after local authentication. This issue is currently reported to Apple and tracked through 30499943. As a workaround, pull down the widget screen after local authentication to re-establish the connection.
663599 F5 Access fails to update device information when Per-App VPN connection is executed after an iOS system upgrade. This issue is not seen when a manual VPN is established.
695712 Due to an iOS issue (Apple Radar 36006149), it is currently not possible to switch between configurations widget added to the Today view.
696882 F5 Access does not support user interaction prompts for per-app VPN scenario. Server configuration should not require any user interaction to establish a VPN.
699062 Per-app VPN that requires user interaction works only with a single per-app VPN configuration, and only with clients running iOS 12. We currently do not support user interaction in a per-app VPN scenario with any other per-app VPN configurations. Administrators should configure the BIG-IP so as not to require user interaction to establish VPN for configurations that require more than a single per-app VPN.
700849 When you use an MDM to push a device-wide VPN that includes the SavePasswordEnabled feature, the setting enforceWebLogon does not work after the device is restored from backup.
701247 With the use of Apple Transport Security (ATS) in version 3.x, insecure HTTP does not work for most connections. However, in some cases an HTTP (not HTTPS) IP address still works. This may or may not be removed in the future by Apple.
701636 The Session expired or closed by server message will not appear when the session is killed by an administrator or by a timeout or when the lease pool is out of IP addresses. The tunnel will be silently closed instead.
704309 Before iOS 12, F5 access did not send the client certificate to BIG-IP if the weblogon mode was enabled in the configuration, due to framework limitations. In iOS 12, Apple partially fixed this issue, but the client certificate is attached twice. We are still waiting for Apple to update us.

F5 Access displays an Authentication failed error message and the VPN is not established, in scenarios where user input is required to authenticate, and the user has disabled notifications for F5 Access. As a workaround, enable notifications in Settings > F5 Access to show a credential popup for authentication.

706718 If the per-app VPN configuration does not have SafariDomains specified, it is displayed as Enterprise VPN in F5 Access.
707434 The confirmation message F5 Access would like to Add VPN Configurations that appears when you attempt to save the first VPN configuration, is not localized in iOS 11. Regardless of the selected system language, the message appears in English.
708016 After you perform Network Settings Reset on the iPhone, the following items of an MDM VPN configuration may get corrupted:
  • Web logon
  • Enforce logon mode
  • Password expiration time
  • Web logon auto-populate
  • Save password policy

As a workaround, contact the MDM administrator and re-deploy the MDM configuration.

713854 When APM reaches the concurrent session limit, it does not allow newer APM sessions to be created. In such a scenario, if an F5 Access client that has saved credentials on the client connects to APM, the VPN fails to establish. The credentials are assumed to be invalid and deleted.

As a workaround:

# # A simple rule to send reset when F5 Access sends a request with an errorcode=14 # # # Ref: # when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] contains "my.logout.php3?errorcode=14" && [HTTP::header value "User-Agent"] contains "F5Access/2.1.1" } { log local0. "DEBUG LOG: [HTTP::uri] => rejecting" # simply reject reject } }

With this iRule enabled, such connections fail with the message "Connection reset by peer".

734750 Certificates imported to F5 Access are not deleted when F5 Access is uninstalled.
743249 When F5 Access Legacy (2.1.x) and F5 Access 3.0.x are running on the same device, if there are configurations created in each VPN client with the same name (for example, MyVPN), after the iOS device restarts, a "2" is appended to the name of whichever configuration was created last (for example, MyVPN and MyVPN2).
743801 On a redirect, the Server URL name in the connection details of F5 Access is displayed incorrectly. However, there is no functional impact on the server connection and establishes the connection accurately.
743918 The VPN connection cannot be established if the PAC file cannot be downloaded without the established VPN.

As a workaround, set the Ignore Client Proxy Autoconfig Script Download Failure setting to enabled, so the client does not attempt to download the PAC file before establishing the connection. The tunnel will be created with PAC specification as provided in the NA resource.

As a workaround for BIG-IP versions 11.6.3 and 11.5.7, where the Ignore Client Proxy Autoconfig Script Download Failure setting is not available in the user interface, add Variable Assign agent with the following entries to your Access Policy:

  • Custom variable:


  • Custom expression:

    return {<client_proxy_settings><client_proxy>yes</client_proxy><client_proxy_script>CLIENT_PROXY_AUTOCONFIG_SCRIPT</client_proxy_script><client_proxy_ignore_auto_config_error>1</client_proxy_ignore_auto_config_error></client_proxy_settings>}

    This will enable the Ignore Client Proxy Autoconfig Script Download Failure setting.

745999 The session is not deleted from the BIG-IP system v11.6.3 when F5 Access disconnects with the Weblogon mode enabled.
748153 Per-App-VPN with internal use of TLD .local domain does not work. This issue is currently reported to Apple and tracked through 45641400.
758831 On iOS 12, F5 Access connects to incorrect port when port forwarding is used with NAT, as F5 Access reads port from the session variables. This results in connectivity issues. As a workaround, add a variable assign object to the policy:

758833 F5 Access has some limitations on cookie storage, which may prevent the logon page from saving state. For example, the "Remember me for 30 days" option, cannot be used with F5 Access as the user is required to enable cookies to remember the device.
772505 When F5 Access for iOS fails to communicate with an External Logon Server, the client-side logs fail to provide debugging hints related to communication between F5 Access and the External Logon Server.
817377 An access profile with multi-domain SSO enabled, results in The network connection was lost error message when the F5 Access client tries to connect after an iOS reboot. Subsequent attempts to connect to the VPN are successful.

As a workaround, do not assign a default pool to the virtual server and instead assign the pool in the access policy using with Pool Assign agent.

829797 On iPadOS, when F5 Access is opened in a split-screen mode in landscape orientation, you may not be able to open connection details by tapping the "i" icon next to the connection status. This happens because F5 Access does not fully support the split-screen mode.

As a workaround, use portrait orientation or a full-screen mode.


On iPadOS, when F5 Access is opened in a split-screen mode in landscape orientation, you may not be able to open the VPN configuration list in the connection screen by tapping the "i" icon.

As a workaround, use portrait orientation or a full-screen mode.

829813 On iPadOS, F5 Access might crash, when you access Settings > Support in a split-screen mode.

As a workaround, use the full-screen mode.

829817 On iPadOS, sometimes F5 Access cannot be launched from the recently closed app bar.

As a workaround, use the Home screen to launch F5 Access.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.