APM OCSP Responder fall back question

We have APM configured to do OCSP checks on client certs. The OCSP Responder AAA Server has the correct URL configured but "ignore AIA" was not checked. This worked fine in testing. But when it was put into production, authentication started failing with OSCP Responder issues. We found that the f5 was trying a URL from the AIA in the user's Cert, however it was not for an OCSP method of the AIA (in fact it was the Enrollment URL). The Certs' AIA fields from the old CA do not have the OCSP method defined as we've just added OCSP to support the f5 roll out. Checking the "ignore AIA" Option solved the problem.

What I'm trying to confirm is, does APM (ver 12.1.2) first attempt the configured OCSP URL and if it fails or times out, goes looking at the AIA?

BIG-IP Access Policy Manager (APM)

ocsp

security

Forum Discussion

APM OCSP Responder fall back question

Recent Discussions

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

OCSP Responder

Configuring OCSP Stapling on BIG-IP

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

APM OCSP Responder Issues

Large payload post requests aren't responding