Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

CRL Expired on Firepower

osama_masoud
Level 1
Level 1

‎05-09-2023 08:17 AM

Hello,

I have this strange issue on a firepower sensor running version 5.4 and managed by FMC 5.4.1.11. I understand it is end-of-life and end of support but we are in a situation that enforced that we address this issue with the existing set up. 

This sensor used to be connected to FMC, we removed it and tried to add it back, however, we were seeing the CRL expired on FMC logs at first, it was resolved using the link below 
https://community.cisco.com/t5/tkb-%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3-%E3%83%89%E3%82%AD%E3%83%A5%E3%83%A1%E3%83%B3%E3%83%88/firepower-system-sftunnel%E9%80%9A%E4%BF%A1%E7%94%A8%E3%81%AEssl%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E6%9...

However, we have started to see that the sensor as well was showing the same messages in its logs whenever we attempted to add it on FMC: 

May 8 18:13:28 SFSensor SF-IMS[3941]: [5413] sftunneld:sf_ssl [ERROR] CRL Expired
May 8 18:13:28 SFSensor SF-IMS[3941]: [5413] sftunneld:sf_ssl [ERROR] Unable to load SSL verification data(2): CRL expired
May 8 18:13:28 SFSensor SF-IMS[3941]: [5413] sftunneld:sf_ssl [ERROR] Unable to create SSL context(1): error:00000000:lib(0):func(0):reason(0)
May 8 18:13:31 SFSensor SF-IMS[3941]: [3948] sftunneld:sf_peers [INFO] Peer 10.20.30.40 needs a single connection
May 8 18:13:31 SFSensor SF-IMS[3941]: [3948] sftunneld:sf_connections [INFO] Start connection to : 10.20.30.40 (wait 44 seconds is up)
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_peers [INFO] Peer 10.20.30.40 needs a single connection
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Connect to 10.20.30.40 on port 8305 - eth0
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.20.30.40 (via eth0)
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.20.30.40:8305/tcp
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Connected to port 8305 (IPv4): 10.20.30.40
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [INFO] Connected to 10.20.30.40:8305 (IPv4)
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [ERROR] CRL Expired
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [ERROR] Unable to load SSL verification data(2): CRL expired
May 8 18:13:31 SFSensor SF-IMS[3941]: [5414] sftunneld:sf_ssl [ERROR] Unable to create SSL context(2): error:00000000:lib(0):func(0):reason(0)

We tried the same steps but it keeps indicating CRL Expired whenever we add it to FMC. We checked the timing on both FMC and sensor and they both match, they have matching key and rebooted both but we kept seeing this message on the sensor and not able to add it. 

Any suggestion on what possibly can be done to address this issue. 


1 person had this problem
0 Helpful
Who Me Too'd this topic