CRL Expired on Firepower

osama_masoud · ‎05-09-2023

Hello,

I have this strange issue on a firepower sensor running version 5.4 and managed by FMC 5.4.1.11. I understand it is end-of-life and end of support but we are in a situation that enforced that we address this issue with the existing set up.

This sensor used to be connected to FMC, we removed it and tried to add it back, however, we were seeing the CRL expired on FMC logs at first, it was resolved using the link below
https://community.cisco.com/t5/tkb-%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3-%E3%83%89%E3%82%AD%E3%83%A5%E3%83%A1%E3%83%B3%E3%83%88/firepower-system-sftunnel%E9%80%9A%E4%BF%A1%E7%94%A8%E3%81%AEssl%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E6%9...

However, we have started to see that the sensor as well was showing the same messages in its logs whenever we attempted to add it on FMC:

May 8 18:13:28 SFSensor SF-IMS[3941]: [5413] sftunneld:sf_ssl [ERROR] CRL Expired
May 8 18:13:28 SFSensor SF-IMS[3941]: [5413] sftunneld:sf_ssl [ERROR] Unable to load SSL verification data(2): CRL expired
May 8 18:13:28 SFSensor SF-IMS[3941]: [5413] sftunneld:sf_ssl [ERROR] Unable to create SSL context(1): error:00000000:lib(0):func(0):reason(0)
May 8 18:13:31 SFSensor SF-IMS[3941]: [3948] sftunneld:sf_peers [INFO] Peer 10.20.30.40 needs a single connection
May 8 18:13:31 SFSensor SF-IMS[3941]: [3948] sftunneld:sf_connections [INFO] Start connection to : 10.20.30.40 (wait 44 seconds is up)
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_peers [INFO] Peer 10.20.30.40 needs a single connection
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Connect to 10.20.30.40 on port 8305 - eth0
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.20.30.40 (via eth0)
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.20.30.40:8305/tcp
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Connected to port 8305 (IPv4): 10.20.30.40
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Connected to 10.20.30.40:8305 (IPv4)
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [ERROR] CRL Expired
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [ERROR] Unable to load SSL verification data(2): CRL expired
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [ERROR] Unable to create SSL context(2): error:00000000:lib(0):func(0):reason(0)

We tried the same steps but it keeps indicating CRL Expired whenever we add it to FMC. We checked the timing on both FMC and sensor and they both match, they have matching key and rebooted both but we kept seeing this message on the sensor and not able to add it.

Any suggestion on what possibly can be done to address this issue.

redes.grupo.reforma · ‎06-08-2023

Finally I managed to correct the problem, apparently there is a certificate that has expired and that CISCO no longer renews it, perhaps because the equipment is Sourcefire and not FirePower:

openssl crl -in /etc/sf/ca_root/crl.pem -lastupdate

what I had to do was put a date of 10 years back:

date --set "2013-10-27 16:35:00"

And with that, the FTDs were registered with FTC and the error was eliminated; Later I disabled the NTP Syncronization option in the console and set it to be defined Manually in Local Configuration, and to finish I defined the current date and time again but manually:

date --set "2023-06-08 16:16:27"

With this, the teams remain registered, rule changes can be managed and applied, and they maintain the current date.

I hope these steps can help you too.