Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Will_Adams_1995's avatar
Will_Adams_1995
Icon for Nimbostratus rankNimbostratus
Oct 18, 2015

Client authentication random failure - 11.6 HF4

We have a pair of BIG IP 6900 appliances that work as an active/passive HA pair. Recently we have upgraded the appliances to 11.6 HF4 (we were on 11.3 HF10) and have been having issues with our clie...
BIG-IP Access Policy Manager (APM)
design
management
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 18, 2015

So it appears that the On-Demand Cert Auth agent is failing. Let's try a few things:

  1. After the successful and fallback branches of the On-Demand Cert Auth agent, add some message boxes. After successful:

    "Success: %{session.ssl.cert.subject}"

    After Fallback:

    "Fallback: %{session.ssl.cert.subject}"

    If you see the certificate subject in the fallback branch message, then you know the client sent a cert, and that the SSL handshake succeeded.

  2. You have "Request" set in the access policy On-Demand Cert Auth agent and the in the client SSL profile? If so, don't do that. The client SSL profile should be set to Ignore.