Bug ID 578097: Enabling DNS resolver and proxy server pool at the same time by tmsh in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might cause OCSP responder not reached

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Opened: Mar 04, 2016
Severity: 4-Minor


OCSP Stapling uses either DNS resolver OR proxy server pool to connect to the OCSP responder. In GUI these two configuration options are selective but tmsh allows configuration of proxy-server-pool when use_proxy_server is set to false, and vice-versa.


In following situation: -use_proxy_server: Enabled but incorrectly configured or external proxy server not working or down. -DNS resolver: Enabled and correctly configured. OCSP stapling will not work since device will try to connect to OCSP responder by using proxy regardless DNS resolver configuration. Since this 'double' configuration (DNS+use_proxy_server) only can be done by tmsh, you cannot see in GUI that you actually have both configurations at the same time.


DNS resolver and use_proxy_server are configured at the same time, but only one of these configurations is set to true.


Disable use_proxy_server configuration using tmsh, then device will use DNS resolver to reach OCSP responder.

Fix Information


Behavior Change