Forum Discussion
hooleylist
Feb 23, 2010Cirrostratus
500 is not a bad start! Can you explain why you're trying to check the client cert against a DOD and Verisign OCSP server? Are there two different sets of CA's issuing the client certs?
The idea with the VIP for the OCSP servers is that you can eventually configure an external monitor which replicates a client OCSP request. If the OCSP server fails to respond to the monitor requests, it would be marked down in the pool and not used.
To troubleshoot the responder failure, I'd start with a command line request from LTM direct to the server to see if the TCP connection works and if so whether you get an HTTP response. If that works, then try making the same request to the OCSP VIP with only the Verisign server enabled in the pool. If you get an HTTP response from the VIP, then try the client cert VIP again with only the Verisign server enabled in the pool. If the OCSP auth fails, I'd try loosening the validation of the OCSP server(s) in the OCSP responder config.
Aaron