Last Modified: May 05, 2026
Affected Product(s):
BIG-IP (all modules)
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1
Fixed In:
17.5.1.6, 17.1.3.2
Opened: Oct 25, 2022 Severity: 3-Major
Issue observed : When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured. Cause: webUI update default value is 5 seconds - updates every 5 seconds triggering SSL handshake which results in OCSP request bursts on the OCSP responder which may be lead to responder becoming irresponsive . Each request triggers two OCSP responder messages, leading to unnecessary traffic and causing performance issues in customer environments.
The OCSP (Online Certificate Status Protocol) Responder may experience service degradation or complete failure when subjected to excessive request volumes within compressed time intervals, particularly in environments where multiple systems share a single OCSP endpoint.
When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured. WebUI makes an OCSP check for every HTTP request. This generates a lot of OCSP requests and If the OCSP server doesn't respond consistently, then the system is immediately redirected to the login page to re-authenticate.
1. In /etc/httpd/conf.d/ssl.conf ,replace the below lines SSLVerifyClient none <LocationMatch "^[/][^/]+[/]"> SSLVerifyClient require </LocationMatch> with SSLVerifyClient require 2. restart the httpd service - bigstart restart httpd Note:The workaround does not survive a device reboot, an upgrade, or modification of any of the authentication and/or HTTPD configurations.
1. Configure the bigip for Remote client cert-ldap authentication 2. Login via UI to the bigip 3. On the OCSP responder , look for OCSP requests from Big-IP - there should be requests only during authentication and every SSLOCSPResponderTimeout interval