Last Modified: Jan 29, 2026
Affected Product(s):
BIG-IP (all modules)
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1
Opened: Oct 25, 2022 Severity: 3-Major
Issue observed : When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured. Cause: webUI update default value is 5 seconds - updates every 5 seconds triggering SSL handshake which results in OCSP request bursts on the OCSP responder which may be lead to responder becoming irresponsive . Each request triggers two OCSP responder messages, leading to unnecessary traffic and causing performance issues in customer environments.
The OCSP (Online Certificate Status Protocol) Responder may experience service degradation or complete failure when subjected to excessive request volumes within compressed time intervals, particularly in environments where multiple systems share a single OCSP endpoint.
When Remote client cert-ldap authentication is enabled in Big-IP and ocsp-responder is configured. WebUI makes an OCSP check for every HTTP request. This generates a lot of OCSP requests and If the OCSP server doesn't respond consistently, then the system is immediately redirected to the login page to re-authenticate.
1. In /etc/httpd/conf.d/ssl.conf ,replace the below lines SSLVerifyClient none <LocationMatch "^[/][^/]+[/]"> SSLVerifyClient require </LocationMatch> with SSLVerifyClient require 2. restart the httpd service - bigstart restart httpd Note:The workaround does not survive a device reboot, an upgrade, or modification of any of the authentication and/or HTTPD configurations.
None