Symptoms
Setting the On Demand Cert Auth Modeoption to 'Require' in a per-request policy causes the browser to spin if no certificate is provided.
Impact
The browser does not receive a response for one or more minutes, until you get RST.
tmm logs shows messages similar to the following:
[C] 172.31.68.130:582 -> 172.31.73.74:443:ERR_NOT_FOUND: access2 token not found; subsession might be inactive
Conditions
-- In a Per Request Policy, set On Demand Cert Auth to Require.
-- Client SSL Profile as:
-- LTM client SSL profile configured similar to the following:
ltm profile client-ssl /Common/test_clientssl_ignore {
ca-file /Common/BACKEND_ROOT
client-cert-ca /Common/BACKEND_ROOT
inherit-ca-certkeychain true
inherit-certkeychain true
peer-cert-mode ignore
}
-- Virtual server containing the client SSL profile and Per Request Policy.
-- Navigate to the virtual server using a browser that has no client certificate.
-- Press F5 (Refresh) after receiving the RST.
Workaround
The client browser must have a valid SSL certificate for the BIG-IP system to pass on demand certificate authentication in a per-request policy and avoid a delayed RST. Setting the Auth Mode to Require should only be used if the client provides a client certificate.
