If you have configured the oAuth Action in 12.1 ADC the action state remains at CERTFETCH regardless of the operation performed.


However if you perform the same on 13.0 ADC, it shows status as complete.



in 12.1 ADC, If you navigate into the traces we would see that the SSL handshake is initiated by the ADC but the server is resetting the connections as below:

ADC IP:10.X.X.X
Cert-fatch Server IP: 193.X.X.X



Looking for a reason for failure it shows that in 13.0 ADC is sending SNI details in Client hello which is missing in 12.1 ADC.

Solution:
Please upgrade the ADC to 13.0 to avail the SNI feature support for internal services like oAuth.

Workaround:

VPN provides add on support to send SNI for DBS created for backend server (VPN DBS services) if "set vpn parameter -backendServerSni ENABLED" command executued.

We would suggest to execute below commands to make feature work for backend which mandates SNI parameter.

• set vpn parameter -backendServerSni ENABLED
• set oauthAction oauth_sp_act -skewTime 5                                     << to refresh the OAuthAction

Problem Cause

In 12.1 ADC "SNI feature not supported on internal service" by SSL service module. So if SNI details are not sent in client hello, it would result in handshake failure where Server expects the SNI details from the sender.