For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Will_Adams_1995's avatar
Will_Adams_1995
Icon for Nimbostratus rankNimbostratus
Oct 18, 2015

Client authentication random failure - 11.6 HF4

We have a pair of BIG IP 6900 appliances that work as an active/passive HA pair. Recently we have upgraded the appliances to 11.6 HF4 (we were on 11.3 HF10) and have been having issues with our clie...
BIG-IP Access Policy Manager (APM)
design
management
security
Will_Adams_1995's avatar
Will_Adams_1995
Icon for Nimbostratus rankNimbostratus
Oct 18, 2015

1 & 4) The CRL check I noted was no longer in the "certificate revocation list" under client authentication of the SSL client profile for the VPN connection. Originally (under 11.3) the client authentication options were set to use the parent profile "clientssl". On consultation with F5 support, we were advised to leave the clientssl profile as is and customise the client authentication for the VPN connection (which has been done). As it stands a loan device we have from F5 has this customisation and no CRL check but doesn't exhibit the problem.

 

2 & 3) Debug logs were sent to F5. I will likely do another debug check on SSL when I get a chance today. The APM logs previously had indicated that on the non-working machine, the certificate check returned a "1" and hence the certificate check process breaks.

 

5) Not sure where this would be configured or how to determine this.