Forum Discussion

Stefan_Klotz_85's avatar
Stefan_Klotz_85
Icon for Cirrus rankCirrus
Feb 09, 2016

OCSP with Route Domains

At the moment I don't know exactly which heading best to use for my problem. So let me explain my current pain. We are migrating an existing F5-configuration from a different service provider. One of...
application delivery
LTM
ocsp
route domains
security
Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Feb 22, 2016

Ok, I have now the whole picture. The "forwarding" VS, which is Standard-type VS in our setup needs to have an IP-address out from a directly connected VLAN. Before I used a dummy 192er address, that's why I never saw traffic or required a dedicated route for this IP. We used a VIP-address from our heartbeat VLAN, as there were still some free IPs available. But you can also create a complete new dummy VLAN with at least one self-IP in it. In both cases this VLAN needs to be part of the Common partition/route domain. Additionally you need to set the "Parent Name" of the route domain where you need the OCSP feature to "0". This allows your non-Common route domain to check the routing table of the Common route domain, which includes the "forwarding" VS as a directly connected VLAN. So no additional static route is required and even "Strict Isolation" can be left enabled.

 

On top of that I combined this solution with the proxy emulating iRule, because the LB in our setup is not allowed to communicate towards the Internet. This works also like a charm.

 

Ciao Stefan :)