OCSP Cache Status Unavailable After OCSP Responder is Online
17054
Created On 06/25/19 07:08 AM - Last Modified 07/31/25 21:38 PM
Symptom
The OCSP cache status changed from valid to unavailable when the OCSP responder went offline, and the unavailable status didn't change for one hour, even after the OCSP responder came back to online.
> debug sslmgr view ocsp all
Current time is: Tue Jun 25 06:05:09 2019
Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] 01 unavailable Jun 25 04:56:04 2019 GMT
abcabcad
http://xxx.xxx.xxx.xxx:8888
Cause
This symptom is by design. It is done to improve the performance of the system. The piece of code doing the OCSP query does not know when the OCSP responder will come back online, so it has to avoid sending repeated requests to the unavailable OCSP responder.
Resolution
To confirm the current OCSP status, you can delete the OCSP status on the dataplane cache with the following CLI command.
> debug dataplane reset ssl-decrypt certificate-status
(Here's an example)
> show system setting ssl-decrypt certificate-cache vsys 1 client_cert, refs: 1 Root CA: testtest original cert len 906 subject testuser OCSP status: unavailable, timeout(secs): 0 original serial number(1) 01 . Cached 1 certificates > debug dataplane reset ssl-decrypt certificate-status reset 1 cert status. > show system setting ssl-decrypt certificate-cache vsys 1 client_cert, refs: 1 Root CA: testtest original cert len 906 subject testuser OCSP status: not queried, timeout(secs): 0 original serial number(1) 01 . Cached 1 certificates