auth_result fired twice?

We've got a case with F5, C799711.

 

 

Looks like it is the clash between idle timeout settings in OCSP profile & (TCP) protocol profile, and OneConnect profile simply makes things worse by extending the latter one.

 

 

1.I’ve changed the OCSP profile idle timeout to 100 secs.

 

2.I’ve also create a new TCP profile “tcp-shorttimeout”, which sets the idle timeout to 60 secs. The one we normally use is “tcp-lan-optimised”, which has default idle timeout value of 300 secs.

 

3.If I use the tcp-shorttimeout as protocol profile, either in client side or server side field or both. The OCSP timeout issue goes away. It is a bit confusing here. I expected that one of the profiles affects OCSP, and the other doesn’t. However, my experiment suggests both have the same impact.

 

4.If I use the normal profile, i.e. “tcp-lan-optimised”, the OCSP error pops up constantly.

 

5.Put OneConnect profile in, the OCSP error shows up constantly, regardless which TCP profile I use. I’ve also noticed that much fewer OCSP calls are made with OneConnect profile in place.

 

 

Definitely the idle timeout triggers another "auth_result" event. If the TCP session dies before, then OCSP session disappears with it. Otherwise, we can observe the symptom quite easily. Thinking about a quick fix. Putting the OCSP profile timeout to infinite will surely fix the issue. However, I can’t tell how much impact it may cause on the system.

 

 

Cheers,