OCSP [AUTH::status] always returns 1; Never talks to OCSP responder

I am trying to setup a new basic OCSP configuration on my F5. I followed the configuration steps outlined in this article: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/36.html My device runs 12.1.0 Build 0.0.1434 Final.

 

After setting up all the objects, and attaching the OCSP authentication to my virtual server, I can't authenticate anymore. Chrome reports back a connection reset. IE is more dumb about the 'cannot display page' message.

 

After following a lot of troubleshooting steps, including making a copy of the default _sys_auth_ssl_ocsp irule, and adding a ton of debug log statements to it, I came to the conclusion that [AUTH::status] always returns 1, which causes the irule to Reject.

 

The DNS entry resolves properly on the F5. I tried several more specific tcpdump filters with ip addresses before finally just checking for any port 80 traffic. There was none:

 

tcpdump -ni eth0 -s0 port 80

 

So the F5 is not even trying to query the responder. A manual openssl command (to test the responder) is working fine:

 

openssl ocsp -issuer piv-chain.cer -cert /home/admin/stephan.cer -text -url http://ocsp.pki.va.gov -CAfile piv-chain.cer

 

<..> Response verify OK /home/admin/stephan.cer: good This Update: Jun 15 03:19:56 2017 GMT Next Update: Jun 16 02:50:00 2017 GMT

 

Any ideas?