topic Re: Unreached OCSP - causes serious lag in Hyperscale Firewall (Maestro)

Unreached OCSP - causes serious lag

TimV — Tue, 01 Apr 2025 20:30:58 GMT

Hi,

Setup

Current setup is a Maestro R81 Take12. (already the case on Take10)

MHO140 /9300&9400's.

These is a serious delay in browsing websites thru the SG's.

Nearly all Security features are on - Sandblast suite.

Symthom

When browsing to a domain, the initial delay is 12-15sec, before it starts loading.

Seen these kinds of messages before in R81.20, but to compare :

R81.20 - 25msg in 1,5h, 500+ endpoints active 24/7
R82 - 25msg in 1,5min 5active users.

So far

TAC is already involved, but wondering if somebody else is experiencing this issue?
Currently no big clue where the issue may reside.

The OCSP error very present, and near the timeline of the actions taken.
Certificate used in HTTPS Inspect is exactly the same as the existing setup.

It's, apart of a RemoteAccess configuration move, the last hurdle I need to fix before being able to go live.

Kind regards

Tim

Re: Unreached OCSP - causes serious lag

PhoneBoy — Tue, 01 Apr 2025 23:58:55 GMT

OSCP is occurring because we are validating the certificate for the remote site is valid as part of SNI verification we do.
This occurs on anything where SNI is processed (App Control, URL Filtering, and HTTPS Inspection among others).
If the OSCP connection is failing somehow (you didn't include the message, but I assume that's what they are), that would account for the slowness of establishing the initial connection.

Re: Unreached OCSP - causes serious lag

the_rock — Wed, 02 Apr 2025 00:09:44 GMT

OSCP would definitely have to do with certificate. Where is the error? Does it happen on client side or somewhere else?

Andy

Re: Unreached OCSP - causes serious lag

AaronCP — Wed, 02 Apr 2025 06:30:45 GMT

Hi @TimV,

Is there a way you can switch to CRL for certificate validation and see if it improves your situation?

We had a scenario some time ago with validating VPN authentication certificates. From memory, there was a change in behaviour that defaulted to using OCSP, but when we switched back to CRL validation, it resolved our issue.

Thanks,

Aaron.

Re: Unreached OCSP - causes serious lag

TimV — Wed, 02 Apr 2025 06:35:12 GMT

Hello,
How you would you do this?

Re: Unreached OCSP - causes serious lag

TimV — Wed, 02 Apr 2025 06:39:35 GMT

Hello

Sorry about the missing information.

There are 2 types -
One related to HTTPS Inspect, other one related to URLF.

Anyone a good guide on how to create a HTTPS inspect certificate with CRL and/or OCSP? ADCS based pref.

Kind Regards

Tim

Re: Unreached OCSP - causes serious lag

AaronCP — Wed, 02 Apr 2025 08:21:13 GMT

To resolve our issue, we used Scenario 2 in SK179434.

Re: Unreached OCSP - causes serious lag

the_rock — Wed, 02 Apr 2025 10:38:35 GMT

Never seen that sk before, GREAT reference @AaronCP

Re: Unreached OCSP - causes serious lag

PhoneBoy — Wed, 02 Apr 2025 13:45:06 GMT

Both issues have the same root cause, as explained earlier.
The Certificate used for HTTPS Inspection must be a Certificate Authority (i.e. can't be a wildcard cert).
The CRL/OSCP server used by the CA needs to be reachable by the gateway (also client in case of Remote Access).
Beyond that, no specific guidance.