Bug ID 1016341: APM - Mac Edge Client with client cert auth fails when Mac OS is updated to 11.3 BigSur.

Last Modified: Jun 13, 2022

Bug Tracker

Affected Product:  See more info
APM-Clients Install/Upgrade, TMOS(all modules)

Opened: May 05, 2021
Severity: 3-Major

Symptoms

BIG-IP Mac Edge Client with client certificate authentication will fail to connect to the VPN if Mac OS is updated to Big Sur 11.3 (or upper) version. The client certificate will never be sent by the Edge Client, causing the Access Policy to fail. Following logs can be observed on the Mac client under ~/Library/Logs/F5Networks/edge.log: 2021-04-29,12:30:04:150, 16925,401827,edge, 2, /SessionController.mm, 1043, SessionController, WebFrameLoadDelegate: didFailProvisionalLoadWithError, -1005, The network connection was lost. 2021-04-29,12:30:04:150, 16925,401827,edge, 1, /SessionController.mm, 1050, SessionController, WebFrameLoadDelegate: Unhandled error 2021-04-29,12:30:04:150, 16925,401827,edge, 2, /SessionController.mm, 1079, SessionController, WebResourceLoadDelegate: didFailLoadingWithError, URL, The network connection was lost., -1005, 2021-04-29,12:30:04:151, 16925,401827,edge, 1, /SessionController.mm, 1106, SessionController, Session Controller, unhandled error 2021-04-29,12:30:04:151, 16925,401827,edge, 48, /SessionController.mm, 543, SessionController, Session 42ca42b1 closed

Impact

Users are not able to connect to the VPN using Mac Edge Client.

Conditions

Issue is observed when all these conditions are met: -- BIG-IP Mac Edge Client is used to connect to the VPN. -- APM Access Policy is requesting client certificate authentication using On-Demand Cert Auth agent. -- MacOS is running Big Sur 11.3 or upper.

Workaround

In order to use client certificate authentication with BIG-IP Mac Edge Client, an Identity Preference must have already been created with such information: Name: https://<vpn-fqdn-or-IP>/my.policy Where: https://<vpn-fqdn-or-IP>/my.policy Preferred Certificate: name of the client certificate. (Refer to https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac.) However, Big Sur update 11.3 is now expecting an Identity Preference containing the name of the application identifier that is going to use the client certificate. So, in order to allow Mac Edge Client to access the client certificate, the existing Identity Preference needs to be modified such as the following: Name: https://<vpn-fqdn-or-IP>/my.policy (com.f5networks.EdgeClient) Where: https://<vpn-fqdn-or-IP>/my.policy (com.f5networks.EdgeClient) (Only the "Where" is required but it's recommended to modify both for consistency and clarity.) Save the changes and try again. The other ways to connect to an F5 Network Access VPN are not impacted and can therefore also be used as a workaround: - connecting to the VPN using F5Access application available from the App Store.

Fix Information

None

Behavior Change