APM Machine Tunnel - Machine Cert Auth Check Failing

It really isn't clear in the documentation, but Machine Certificate Authentication (MCA) isn't compatible with Machine Tunnels. To authenticate client certificates with Machine Tunnels, you would use On-Demand Certificate Authentication (ODCA) instead of MCA. 

ODCA requires that you conifgure a CA on the F5 that can validate the client certificate. This CA would be configured in a ClientSSL profile for the VIP and set as the CA and Advertised CA. The profile would b set to "ignore" client certificate validation. Within the APM policy you define "ODCA" for authentication of the Machine Tunnel client type.

Russell