cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2074
Views
5
Helpful
4
Replies

Cisco ISE 2.4-2.6-2.7 CRL size limit

mlaurencik
Level 1
Level 1

Hello all,

I'd like to ask, since I've not found this in official docs, is there and if so, what is the CRL size limit Cisco ISE can download and process, please? We started to face issue when ISE is not able to download the CRL file, which is ~13MB in size, however when I try to download the file manually via link, it works fine. Im curious if size of the file can be an issue here. the error says only "Could not download Certificate Revocation List for certificate with CN=XXXXX"

 

Thanks.

4 Replies 4

Colby LeMaire
VIP Alumni
VIP Alumni

There should not be a maximum size of the CRL that ISE can download.  CRL's can get quite large if a lot of certificates are being revoked in your organization.  If anything, there would be issues with the time it takes to download and authentication timeouts.

If you are having trouble with ISE downloading the CRL, it could be that there is a proxy server blocking the request.  Grab a packet capture and see if ISE is trying to hit the correct URL/IP address and if there are any responses at all.

Thanks a lot for your reply. I tried to do packet capture from ISE GUI and to be honest I was very confused. It simply doesn't look like a nice TCP communication, but many TCP duplicates and re-transmissions. I went packet-by-packet and could not find any useful details, but I don't consider me as an expert here.

 

I suspect there was something wrong with the PSN instance. I tried to stop serviced and do reload, however once it came up it was not able to get in sync with PAN (tried several time manual sync). I followed instruction from cisco, I tried to de-register the node and then reset-config but the the process hung for couple hours. Every other command I tried failed with message there is another process in progress and so cannot perform the command I ran (like app stop ise). Another reload did not fix it and ISE app was not able to start at all then, the process hung at APP_START.

 

% Error: Another ISE DB process (DATABASE_RESET_CONFIG) is in progress, cannot perform Application Stop at this time

% Error: Another ISE DB process (APP_START) is in progress, cannot perform Application Stop at this time

Possibly unrelated - but check that the MTU of the SVI for the VLAN that the ISE nodes are on is set to 1500 bytes. ISE does not support larger MTU sizes. Might not be related, but this has caught people out before and can cause EAP exhanges to fail if the certificate chains are long. 

mlaurencik
Level 1
Level 1

Hello everybody,

I just want to let you know this issues had turned out completely. As it seems there was something wrong with DB, we re-imaged the PSN node. However after we brought it back online it was not able to get registered to PAN (after fresh ISE installation!). We tried to register several times, it always timed-out. Network connectivity between the nodes as well as DNS has been checked several times. Engaged TAC, provided several support bundles with no luck. This took ~3 weeks, several engineers and no real output from them. Whole box was acting a bit weird...

 

We decided to re-image the node again. Well, not to be so happy, the installation over Java KVM failed several times with "DEAD PANE" error. We tried 3 different locations we run the installation from (suspecting network issue) and also re-downloaded ISO image (despite the MD5 checksum was correct). 7 attempts in total with no success. Cisco TAC had no clue, suggested to RMA whole appliance. They did not even know what piece of hardware can cause this...

 

As the very last option we decided to try install ISE over HTML console. I don't like it because the installation takes much longer (probably lower data transfer speed) and there is no progress visibility. Just sit and wait. Surprisingly this worked and ISE has been installed, I've registered the node back to PAN and we are fully online again! Quite "short" story for "simple" CRL issue