This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
TimV
Participant
‎2025-04-01 01:30 PM

Unreached OCSP - causes serious lag

Hi,

Setup

Current setup is a Maestro R81 Take12. (already the case on Take10)

MHO140 /9300&9400's.

These is a serious delay in browsing websites thru the SG's.

Nearly all Security features are on - Sandblast suite. 

Symthom

When browsing to a domain, the initial delay is 12-15sec, before it starts loading.

Seen these kinds of messages before in R81.20, but to compare : 

  • R81.20 - 25msg in 1,5h, 500+ endpoints active 24/7
  • R82 - 25msg in 1,5min 5active users.

So far

TAC is already involved, but wondering if somebody else is experiencing this issue?
Currently no big clue where the issue may reside.

The OCSP error very present, and near the timeline of the actions taken.
Certificate used in HTTPS Inspect is exactly the same as the existing setup. 

It's, apart of a RemoteAccess configuration move, the last hurdle I need to fix before being able to go live.

Kind regards

Tim

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2025-04-01 04:58 PM

OSCP is occurring because we are validating the certificate for the remote site is valid as part of SNI verification we do.
This occurs on anything where SNI is processed (App Control, URL Filtering, and HTTPS Inspection among others).
If the OSCP connection is failing somehow (you didn't include the message, but I assume that's what they are), that would account for the slowness of establishing the initial connection.

0 Kudos
the_rock
Legend
Legend
‎2025-04-01 05:09 PM

OSCP would definitely have to do with certificate. Where is the error? Does it happen on client side or somewhere else?

Andy

0 Kudos
AaronCP
Advisor
‎2025-04-01 11:30 PM

Hi @TimV,

Is there a way you can switch to CRL for certificate validation and see if it improves your situation?

We had a scenario some time ago with validating VPN authentication certificates. From memory, there was a change in behaviour that defaulted to using OCSP, but when we switched back to CRL validation, it resolved our issue.

Thanks,

Aaron.

0 Kudos
TimV
Participant
‎2025-04-01 11:35 PM
In response to AaronCP

Hello,
How you would you do this?

0 Kudos
AaronCP
Advisor
‎2025-04-02 01:21 AM
In response to TimV

To resolve our issue, we used Scenario 2 in SK179434.

(1)
the_rock
Legend
Legend
‎2025-04-02 03:38 AM
In response to AaronCP

Never seen that sk before, GREAT reference @AaronCP 

0 Kudos
TimV
Participant
‎2025-04-01 11:39 PM

Hello

Sorry about the missing information. 
There are 2 types - 
One related to HTTPS Inspect, other one related to URLF.
 
Anyone a good guide on how to create a HTTPS inspect certificate with CRL and/or OCSP? ADCS based pref. 
 
Kind Regards
Tim

 

Preview file
125 KB
Preview file
131 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-02 06:45 AM
In response to TimV

Both issues have the same root cause, as explained earlier.
The Certificate used for HTTPS Inspection must be a Certificate Authority (i.e. can't be a wildcard cert).
The CRL/OSCP server used by the CA needs to be reachable by the gateway (also client in case of Remote Access).
Beyond that, no specific guidance. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events