OCSP with Route Domains
At the moment I don't know exactly which heading best to use for my problem. So let me explain my current pain. We are migrating an existing F5-configuration from a different service provider. One of the VS is using client certs with OCSP checking. In addition to that they are using Route Domains. They don't use the APM, but standard LTM features. For their OCSP-URL they used another internal VS (10.1.1.1), I assume as a workaround due to Route Domain restrictions. The original VS is in RD3 and the workaround VS is in RD0 (Common). This workaround VS has an iRule assigned with the command "node %3". I also found out that all their Route Domains have the "strict isolated" option disabled (but I don't know if this comes from an older version, where this was the default or if it was required to get it working).
I migrated all the config 1:1 to our new F5 and my current problem is, that I don't see any outgoing traffic towards the OCSP-URL with tcpdump. And as I'm not really familiar with OCSP, I don't know how to further troubleshot this. The new F5 has also the APM licensed, so an implementation via an APM-policy could also be an option if this is maybe easier. And we are running on 11.5.3.
So one of my questions is, are there any restrictions with OCSP and Route Domains? And as I already mentioned, how can I further troubleshot this. It would also be fine to built it from scratch or even using the APM.
Any additional hints and tips would be very helpful.
Thank you!
Ciao Stefan :)