OCSP AUTH AGENT

Hello everyone, I'm facing a situation and I need your input to figure it out what's wrong.

I have a VIP where mtls is configured in the client SSL profile with the issuer's certificate as CA (we call it CA_1), and it works well.

(Per info, the client cert is issued by CA_1, which is also issued and signed by a higher authority CA_2.)

I wanted to make OCSP checks for client certificates so I created a simple APM policy as follows :

Client --- > on-demand cert agent ---> OCSP Auth Agent ---> Allow or deny

The OCSP responder is configured with the same CA_1 that's configured in the in the Client authentication in the ssl profile, and a responder (ocsp.example.com).

The error I'm facing is OCSP Auth agent: Failure status 'Error querying OCSP responder host ocsp.example.com.

To troubleshoot, I did few tests and we can eliminate the following possibilities:

Connectivity and DNS: I can reach the responder in the http port using the FQDN.
Blocked traffic : no Firewall inspection between the BIG IP and the responder.
The responder is not treating the request as it should: openssl ocsp verification works fine and gets me the wanted result from the ocsp responder.
The famous "missing host header" : the header is well included in the request sent by the big ip to the responder; moreover, i compared this request to the one sent when using openssl ocsp and the one sent when i test from my own computer using openssl, and they are identical when it comes to the OCSP date in the request and response frames.

What's more interesting is when I capture the response sent by the responder when the apm sends the ocsp verification request, i can clearly see that's stating the status of the certificate (which is revoked in my case), but the APM logs doesn't show that; instead, when debugging, it says that the on-demand cert agent is executed (i can see the client cert and the issuer cert CA_1 as well) and then it moves successfully to the OCSP auth agent and then directly it says the querying error.

Could you please tell me if you see anything i could do to troubleshoot more ? Any ideas ?

PS 1 : I tried also using the CA_2, a bundle of CA_1 and CA_2, a cert chain of both, but no luck !

PS 2 : when i use the CRLDP agent, i can see the status (revoked) in the APM logs.

Thank you in advance !

Forum Discussion

OCSP AUTH AGENT

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Blindfold key for API request to replace TLS certificate

ASM bd daemon crash while processing request body (SIGSEGV) – anyone seen similar behavior?

APM Policy loses POST request content when forwarding across multiple domains.

F5 in AZ

Comprehensive Policy Template

Related Content

Using n8n To Orchestrate Multiple Agents

Rate limiting WebSocket messages for Agents

Agentic AI with F5 BIG-IP v21 using Model Context Protocoland OpenShift

IngressNightmare, Next.js critical, More Agents, pwned

APM SSO OCSP Auth agent: Failure status 'Error querying OCSP responsder host (ocsp.viettel-ca.vn) path (/)'

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS