For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Will_Adams_1995's avatar
Will_Adams_1995
Icon for Nimbostratus rankNimbostratus
Oct 18, 2015

Client authentication random failure - 11.6 HF4

We have a pair of BIG IP 6900 appliances that work as an active/passive HA pair. Recently we have upgraded the appliances to 11.6 HF4 (we were on 11.3 HF10) and have been having issues with our clie...
BIG-IP Access Policy Manager (APM)
design
management
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 19, 2015

Sorry, but I'm having a hard time following what you're saying. Certificate authentication can fail in a number of ways, so I'm trying to eliminate some of these through my line of questions.

 

For example, certificate authentication can fail if:

 

  1. The SSL handshake fails for any reason
  2. Validation and trust can't be confirmed
  3. There's a bad CRL
  4. You're requesting the client cert in the client SSL profile and in the APM On-Demand agent
  5. The On-Demand agent is failing

Since you have the APM On-Demand agent set to request, then verification and trust shouldn't be an issue. If you have no CRL applied, then revocation shouldn't be an issue. If some clients work on the broken platform, but not others, then it's probably not an SSL handshake issue. Again, it's important to focus on the BROKEN platform, not the loaner. And I'm not sure what certificate expiration has to do with this. If no clients work on the broken platform, then it could be something wrong with the access policy or even the SSL handshake. If the fallback branch message box shows the certificate subject, then you're probably looking at something wrong with the On-Demand agent.

 

Can you provide a screenshot of your visual policy?