OCSP responder configured on a PA FW responds with “301 Moved Permanently”

OCSP responder configured on a PA FW responds with “301 Moved Permanently”

5851
Created On 01/12/23 16:28 PM - Last Modified 12/31/24 00:37 AM


Symptom


  • After configuring an OCSP responder on the same interface as a GP Portal, OCSP check returns status "unavailable" and reason is "Error querying OCSP responder":
  • If packet capture is performed, it can be seen how the Portal will respond with “301 Moved Permanently”:

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • GlobalProtect (GP) Portal
  • Certificate profile 
  • CSP responder

Cause


  • Firewall hosting GlobalProtect Portal on an interface will redirect http to https by default
  • OCSP responder on the firewall will listen on port 80 with the format “http://FQDN_or_IP/CA/ocsp” and is configured on the same interface as GlobalProtect Portal
  • So, when the OCSP request comes on this interface, it is expected to see a https request but sees a http request instead and firewall presents the error code 301
  • Hence, configuring an OCSP responder and a GlobalProtect Portal on the same Interface is not supported

Resolution


Place the OCSP responder on a different Interface than a GP Portal.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGEMCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language