Last Modified: Jul 12, 2023
Affected Product(s):
APM-Clients APM
Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Opened: Oct 04, 2018 Severity: 3-Major
In always connected mode, VPN is not established if the Edge Client version 7.1.5 or earlier auto-updates to version 7.1.6 or later. This occurs because the Edge Client version 7.1.6 and above are signed with a new certificate, but the Stonewall service does not get updated with the auto-update and remains signed with an old certificate.
- After auto-update of components from 715x (or below) to 716x (or above), VPN cannot be established.
- Always connected mode - apmclients715x or earlier installed on Windows. - apmclients 716x or later installed on BIG-IP to trigger auto-upate of client components - New certificate is not trusted in the F5FirepassRoot store.
Workaround 1: Uninstall the previous version of Edge Client (7.1.5 or earlier) , and then install the Edge Client version 7.1.6 or later instead of an auto-update. Workaround 2: Import the new certificate into the F5FirepassRoot store of the local computer. 1. Extract the new certificate by downloading and installing Edge Client version 7.1.6 or later. 2. Browse to the folder where the client components are installed. 3. Right-click on any of the components (for example f5instd.exe) and select Properties -> Digital Signature. 4. Select the certificate and click Details -> View Certificate -> Details tab -> Copy to File to save the certificate. 5. Click Start -> Run. In the Open field, type mmc. 6. Click File -> Add/Remove Snap-in. 7. In the Add or Remove Snap-ins dialog box , double click Certificates. 8. Click Computer account -> Next -> Local computer -> Finish. 9. Expand Certificates (Local Computer) and right-click on F5FirePassRoot. Click Import. 10. In the Certificate Import Wizard , browse for the certificate saved in step 4 and click Next. 11. Select Place all certificates in the following store: F5FirePassRoot and click Next, then click Finish.
None