Separating APM traffic from LTM traffic

You can set independent default routes to each Route Domain. We chose to use the Route Domain because when we had issues with how the Lease Pool routed back using the self-ip address. After we implemented the Route Domain we were able to route the traffic the way we wanted it to go without over complicating it. So for VPN connections, we have the VS on the main Route Domain (no %), but once the APM policy kicks in, we assign those users with the Route Domain and SNAT selections in the APM objects. It is a selectable item like adding a message box or AD Auth. After adding the item, you will have a drop down to select the Route Domain you want it reference. All the self-ips, and routes that will need to be associated with that Route Domain will need to have the % included. It might be easier to understand if you draw it out, top to bottom, how the VPN user would hit your VS, then process through the APM module and then access onto your network. Draw a line where the Route Domain Selection is made and everything above the line is on the normal route domain, and everything below is in the VPN Route Domain (% required). It took a bit of trial and error but we got it figured out. Good luck.