Forum Discussion
NimbostratusClient authentication random failure - 11.6 HF4
We have a pair of BIG IP 6900 appliances that work as an active/passive HA pair. Recently we have upgraded the appliances to 11.6 HF4 (we were on 11.3 HF10) and have been having issues with our client certificate authentication. I have 2 APM policies configured that rely on the client certificate for authentication. The fallback in the event of a client certificate authentication failing is to prompt for alternative 2 factor authentication (using RSA) which works perfectly.
Since the upgrade, our clients connecting to VPN are failing with client certificate authentication and hence are constantly being prompted for the alternate authentication (some users don't have a token so you can see why when this fails it becomes a problem). The client certificate is valid, the bundle certificate is valid (so hence the trusted chain is valid).
When we initially performed the upgrade, we had a couple of machines that exhibited the problem but after 2 weeks we had a major influx of problems. The VPN configuration was set to "ignore" for the certificate but that has been changed to request. Doing this resolved the problem initially but then it came back about 5-6 hours later. We used to on 11.3 HF10 have a CRL process running every 10 minutes, this process doesn't work correctly on 11.6 (the script would run but not the cronjob to run every 10 minutes). I tried updating the CRL but that didn't seem to help.
Moving all the client connections back to 11.3 HF10 resolves the problem.
I have logged a case with F5 but so far no permanent solution has been found. Wonder if the forum might have come across this type of problem or knows what the potential problem is.
13 Replies
- Kevin_Stewart
Employee
Sorry, but I'm having a hard time following what you're saying. Certificate authentication can fail in a number of ways, so I'm trying to eliminate some of these through my line of questions.
For example, certificate authentication can fail if:
- The SSL handshake fails for any reason
- Validation and trust can't be confirmed
- There's a bad CRL
- You're requesting the client cert in the client SSL profile and in the APM On-Demand agent
- The On-Demand agent is failing
Since you have the APM On-Demand agent set to request, then verification and trust shouldn't be an issue. If you have no CRL applied, then revocation shouldn't be an issue. If some clients work on the broken platform, but not others, then it's probably not an SSL handshake issue. Again, it's important to focus on the BROKEN platform, not the loaner. And I'm not sure what certificate expiration has to do with this. If no clients work on the broken platform, then it could be something wrong with the access policy or even the SSL handshake. If the fallback branch message box shows the certificate subject, then you're probably looking at something wrong with the On-Demand agent.
Can you provide a screenshot of your visual policy?
Will_Adams_1995We seem to have found the issue as being something related to a chained bundle in our VPN configuration not being valid (the issuer had failed). However there are also signs that 11.6 HF4 on seeing multiple certificates for the same user does not send information back on request from the F5. For now the problem is solved by (1) updating the bundle and (2) removing all old (still valid) certificates and generating new ones.
Thanks for the help thus far.
