OCSP outbound LB through F5 VS

Question

I'm trying to solve a problem of ocsp reachability. My primary OCSP service is upstream through network transport outside of my control. We have replicated responders closerto the F5's location. I have a list of servers that have replicated the OCSP functionality. I'd like to use these servers in a pool using priority group activation for node selection: The closest resolver server being preferred, then our backup site, then the FQDN node associated with the ocsp service itself as a last resort. I can hit each responder using a host file edit with associated FQDN in the OCSP Auth config object - so I know the responders are working and reachable. I need to have the query hit an F5 VS for LB to my pool; and this is where things are breaking. I can't seem to get an OCSP query through a standard VS. I'm missing something...Any suggestions?

rico_368208 · Answer

Eric,&nbsp;
It is a bit hard to determine the exact issue just from you statement alone, but here are a few troubleshooting steps I would take.&nbsp;
I'd suggest you run a tcpdump to ensure that the traffic is reaching the virtual server and that it is being sent out to its pool members. 
If you don't see any incoming traffic when you run the OCSP query, you know that there is some issue with network connectivity. 
If you see traffic hitting the virtual server and not being sent to the pool members, then that would seem to suggest that there is a connection issue between the client and the virtual server. If the query seems to pass through the virtual server and out to the pool members without an issue, I'd suggest checking your SNAT settings on the virtual server. Without the SNAT setting set to Automap (or SNAT pool if you have one configured), the response would not be routed properly back through the F5.&nbsp;
If you can provide any more details, such as the results of tcpdump or where the query seems to be dropped, I'd be able to give more accurate and useful advice.&nbsp;
Hope this helps.&nbsp;

rico · Answer

Eric,&nbsp;
It is a bit hard to determine the exact issue just from you statement alone, but here are a few troubleshooting steps I would take.&nbsp;
I'd suggest you run a tcpdump to ensure that the traffic is reaching the virtual server and that it is being sent out to its pool members. 
If you don't see any incoming traffic when you run the OCSP query, you know that there is some issue with network connectivity. 
If you see traffic hitting the virtual server and not being sent to the pool members, then that would seem to suggest that there is a connection issue between the client and the virtual server. If the query seems to pass through the virtual server and out to the pool members without an issue, I'd suggest checking your SNAT settings on the virtual server. Without the SNAT setting set to Automap (or SNAT pool if you have one configured), the response would not be routed properly back through the F5.&nbsp;
If you can provide any more details, such as the results of tcpdump or where the query seems to be dropped, I'd be able to give more accurate and useful advice.&nbsp;
Hope this helps.&nbsp;

eric_haupt1 · Answer

Nope - checked all of that.&nbsp;

eric_haupt1 · Answer

Ahhh... I found it. It's trying to use an egress point when LB'd that is not permitted through our firewall. I need to add another float IP for my second traffic group.&nbsp;

Forum Discussion

OCSP outbound LB through F5 VS

Recent Discussions

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

BIG-IP Oauth Client and AS

Related Content

OCSP through an outbound explicit proxy

Configuring OCSP Stapling on BIG-IP

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

OCSP Responder

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS