Facing same issue. I have ISE 2.3 with patch 1 and CRL is unable to download.

Cisco release patch 2 on 25th Jan 2018. I will download and test again. Let me keep you posted on this. 

CRL works after installing ISE 2.3 patch 2

Hi Paul,

i've figured out with TAC how the mechanism of CRL checking works:

ISE checks the value of the AKI field in the CRL for ensuring the CRL belongs to a certificate ISE holds in it's trusted certificate store. This field has to contain the serial number of the issuing certificate.

Details can be found here: http://www.pkiglobe.org/aki_ski.html

Our problem depends on the fact the CRLs of our PKI do not contain this AKI extension which leads to following symptoms:

• ISE downloads the CRL properly (can be validated with TCP dump)
• ISE checks client certificates sucessfully against CRL (can be checked with revoking an certificate and testing)
• ISE brings up the known error message every 70 minutes (no clue why this interval)

In fact this is a cosmetical error because downloading and checking against CRL works properly. Nevertheless you have to deal with this upcoming error message anyhow.

Maybe you have an other problem with downloading CRL, but these are my two cents in this case.

Thanks for sharing mate

Oh i forgot to mention there is a diagnostic logfile where details for CRL Downlaods are available.

You can find it under

Operations > Troubleshoot > Download Logs > Debug logs (right tab) > prrt-server.log

cheers!