cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3848
Views
1
Helpful
1
Replies

ISE canot retrieve the crl from server

Hello. I have ise and CRL server configured. There is connection between ise and the crl server , they can ping each other. Crl url is also available . But my ise does never download the crl from the server and when i check my ise logs i see bellow log

CRL Retrieval Failed

Details :
Could not add Certificate Revocation List for certificate with CN=KBL_TrustedCA

Description :
Unable to retrieve CRL from the server. This could occur if the specified url is unavailable.

Suggested Actions :
Please ensure that the download url is correct and is available for the service

*** This message is generated by Cisco Identity Services Engine (ISE) ***

1 Reply 1

Arne Bier
VIP
VIP

Hi

My definitive test of whether or not a node can download the CRL is to perform the operation manually on the node itself.  And since this operation is performed on the PSN (not the PAN or MnT), you can test it as follows:

ssh to the PSN

on the CLI type the command (example: CRL server is 192.168.21.200 and http server running port 80)

telnet 192.168.21.200 port 80

GET http://192.168.21.200/CertEnroll/MEGA-MEGASERVER-CA.crl

<press enter>

If the command succeeded then you will see a mix of printable and non-printable characters on the screen (binary data) - the session will hang.  This is a good sign that the PSN can load the CRL.

I have also found a way to force a PSN to load the CRL by toggling the setting in the GUI (disable, then enable the CRL download option) - this causes the PSN to fetch it.