Bug ID 895989: When BIG-IP is used as pure L2 wire, server-side OCSP check might not work

Last Modified: Oct 13, 2023

Affected Product(s):
BIG-IP LTM, SSLO(all modules)

Known Affected Versions:
16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Opened: Apr 04, 2020

Severity: 3-Major

Symptoms

For pure SSL Orchestrator as L2 wire, a server-side OCSP check may not work if the server does not support stapling. As there is no TMM route to send the OCSP request to OCSP responder, the OCSP check might fail.

Impact

As pure L2 wire mode does not support self IP addresses on virtual wire interfaces, the BIG-IP system is not able to route OCSP request to OCSP responder.

Conditions

-- The BIG-IP system is used in pure L2 wire mode. -- The server SSL profile configured for the virtual server uses OCSP to check the status of server certificates. -- The server does not support OCSP stapling.

Workaround

Configure a VLAN and self IP address on a new interface that is not in L2 wire mode. This self IP address will be used by TMM to make OCSP requests on the server-side to check server certificate status.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips