Client authentication random failure - 11.6 HF4

Correct, there is no CRL checking occurring. We are doing on-demand cert auth in the APM Visual policy yes.

Regarding the "certificate check", I have enabled SSL debugging and this is what I am seeing (also on the loan device now). I extended handshake to 30 seconds in the interim.

*********** working example ***********

Session variable 'session.ssl.cert.valid' set to '1' Session variable 'session.ui.mode' set to '7' Executed agent '/Common/[apname]_act_ondemand_cert_auth_ag', return value 0 Following rule 'Successful' from item 'On-Demand Cert Auth' to item 'Assign Logon Variable for Logs' Username 'XXXX' Username 'xxxx' Executed agent '/Common/[apname]_act_variable_assign_ag', return value 0 Following rule 'fallback' from item 'Assign Logon Variable for Logs' to item 'Full VPN Access' Connectivity resource '/Common/[networkaccess]' assigned

*********** non working example ***********

Session variable 'session.clientcert.ssl_rehandshake_pending' set to '2' Session variable 'session.server.landinguri' set to '/' Session variable 'session.ssl.cert.exist' set to '0' Session variable 'session.ssl.cert.valid' set to '1' Session variable 'session.ui.mode' set to '7' Executed agent '/Common/[apname]_act_ondemand_cert_auth_ag', return value 0 Following rule 'fallback' from item 'On-Demand Cert Auth' to item 'Logon Page'

In the visual policy configuration, effectively the following happens:

On-Demand Cert Auth check is performed, this check is as follows:

Auth Mode is set to "Request" <-- so this seems to conflict with the AP profile setting. The branch rule has an expressions being "expr { [mcget {session.ssl.cert.valid}] == "0" }" If successful is moves to the assign logon variable for logs......and provides access to the VPN connection.

If not successful it moves to the fallback path where the Logon page is presented.

The logs above seem to indicate that while the same validation is being done and the same the end result is different.