Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3849
Views
1
Helpful
1
Replies

ISE canot retrieve the crl from server

waheedullah Bahaduri
Level 1
Level 1

‎05-04-2017 08:23 AM - edited ‎03-11-2019 12:41 AM

Hello. I have ise and CRL server configured. There is connection between ise and the crl server , they can ping each other. Crl url is also available . But my ise does never download the crl from the server and when i check my ise logs i see bellow log

CRL Retrieval Failed

Details :
Could not add Certificate Revocation List for certificate with CN=KBL_TrustedCA

Description :
Unable to retrieve CRL from the server. This could occur if the specified url is unavailable.

Suggested Actions :
Please ensure that the download url is correct and is available for the service

*** This message is generated by Cisco Identity Services Engine (ISE) ***

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎05-16-2017 06:10 PM

Hi

My definitive test of whether or not a node can download the CRL is to perform the operation manually on the node itself.  And since this operation is performed on the PSN (not the PAN or MnT), you can test it as follows:

ssh to the PSN

on the CLI type the command (example: CRL server is 192.168.21.200 and http server running port 80)

telnet 192.168.21.200 port 80

GET http://192.168.21.200/CertEnroll/MEGA-MEGASERVER-CA.crl

<press enter>

If the command succeeded then you will see a mix of printable and non-printable characters on the screen (binary data) - the session will hang.  This is a good sign that the PSN can load the CRL.

I have also found a way to force a PSN to load the CRL by toggling the setting in the GUI (disable, then enable the CRL download option) - this causes the PSN to fetch it.

Customers Also Viewed These Support Documents