Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1156
Views
5
Helpful
1
Replies

Certificate Revocation List not working on ASA 8.3(1)

Paulo Moreira Magalhaes
Level 1
Level 1

‎11-26-2012 10:28 AM

I've configured my SSL VPN to certificate authentication, in wich the authentication with certificates is working fine. However the ASA is not able to store (cache) the CRL.

Based on debug bellow the asa downloads the CRL file but is not able to open it.

Does anyone know this sitation?

Here is te debug output:

-----------

fwlpasa01/pri/act# crypto ca crl request SSL-VPN
CRYPTO_PKI: CRL is being polled from CDP http://10.151.1.9/certlist/certcrl.crl.
crypto_pki_req(7ae32bf0, 24, ...)
CRYPTO_PKI: Crypto CA req queue size = 1.
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: content dump count 75----------
CRYPTO_PKI: For function crypto_http_send
GET /certlist/certcrl.crl HTTP/1.0
Host: 10.151.1.9

CRYPTO_PKI: For function crypto_http_send
CRYPTO_PKI: content dump-------------------

CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1482
Content-Type: application/pkix-crl
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDACBQATBA=IEGHHGMBOHNIGEJIEPJKCFCE; path=/
Date: Mon, 26 Nov 2012 15:47:38 GMT
Connection: close


CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20    |  -----BEGIN X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a 4d 49 49 45 44 44    |  CRL-----..MIIEDD
43 43 41 76 51 43 41 51 45 77 44 51 59 4a 4b 6f    |  CCAvQCAQEwDQYJKo
5a 49 68 76 63 4e 41 51 45 46 42 51 41 77 57 54    |  ZIhvcNAQEFBQAwWT
45 53 4d 42 41 47 43 67 6d 53 4a 6f 6d 54 38 69    |  ESMBAGCgmSJomT8i
78 6b 41 52 6b 57 41 6e 70 73 0d 0a 4d 52 4d 77    |  xkARkWAnps..MRMw
45 51 59 4b 43 5a 49 6d 69 5a 50 79 4c 47 51 42    |  EQYKCZImiZPyLGQB
47 52 59 44 61 57 35 30 4d 52 67 77 46 67 59 4b    |  GRYDaW50MRgwFgYK
43 5a 49 6d 69 5a 50 79 4c 47 51 42 47 52 59 49    |  CZImiZPyLGQBGRYI
65 6d 6c 73 62 47 39 79 5a 57 34 78 0d 0a 46 44    |  emlsbG9yZW4x..FD
41 53 42 67 4e 56 42 41 4d 54 43 31 70 4a 54 45    |  ASBgNVBAMTC1pJTE
78 50 55 6b 56 4f 4c 55 4e 42 46 77 30 78 4d 6a    |  xPUkVOLUNBFw0xMj
45 78 4d 54 6b 78 4e 6a 4d 7a 4d 44 68 61 46 77    |  ExMTkxNjMzMDhaFw
30 78 4d 6a 45 78 4d 6a 63 77 4e 44 55 7a 0d 0a    |  0xMjExMjcwNDUz..
4d 44 68 61 4d 46 63 77 47 77 49 4b 52 66 65 4b    |  MDhaMFcwGwIKRfeK
6b 67 41 41 41 41 41 42 67 52 63 4e 4d 54 49 78    |  kgAAAAABgRcNMTIx
4d 44 49 35 4d 54 4d 79 4d 7a 41 77 57 6a 41 62    |  MDI5MTMyMzAwWjAb
41 67 70 46 31 4f 55 76 41 41 41 41 41 41 47 41    |  AgpF1OUvAAAAAAGA
0d 0a 46 77 30 78 4d 6a 45 77 4d 6a 6b 78 4d 7a    |  ..Fw0xMjEwMjkxMz
49 7a 4d 44 42 61 4d 42 73 43 43 6a 75 71 30 79    |  IzMDBaMBsCCjuq0y
41 41 41 41 41 41 41 58 6f 58 44 54 45 79 4d 54    |  AAAAAAAXoXDTEyMT
41 79 4f 54 45 7a 4d 6a 49 77 4d 46 71 67 67 67    |  AyOTEzMjIwMFqggg
49 4d 0d 0a 4d 49 49 43 43 44 41 66 42 67 4e 56    |  IM..MIICCDAfBgNV
48 53 4d 45 47 44 41 57 67 42 52 73 73 75 79 64    |  HSMEGDAWgBRssuyd
63 2b 6c 54 32 66 6a 75 62 39 66 70 7a 67 42 38    |  c+lT2fjub9fpzgB8
76 45 36 59 78 54 41 51 42 67 6b 72 42 67 45 45    |  vE6YxTAQBgkrBgEE
41 59 49 33 0d 0a 46 51 45 45 41 77 49 42 41 44    |  AYI3..FQEEAwIBAD
41 4c 42 67 4e 56 48 52 51 45 42 41 49 43 41 31    |  ALBgNVHRQEBAICA1
55 77 48 41 59 4a 4b 77 59 42 42 41 47 43 4e 78    |  UwHAYJKwYBBAGCNx
55 45 42 41 38 58 44 54 45 79 4d 54 45 79 4e 6a    |  UEBA8XDTEyMTEyNj
45 32 4e 44 4d 77 0d 0a 4f 46 6f 77 67 63 77 47    |  E2NDMw..OFowgcwG
41 31 55 64 4c 67 53 42 78 44 43 42 77 54 43 42    |  A1UdLgSBxDCBwTCB
76 71 43 42 75 36 43 42 75 49 61 42 74 57 78 6b    |  vqCBu6CBuIaBtWxk
59 58 41 36 4c 79 38 76 51 30 34 39 57 6b 6c 4d    |  YXA6Ly8vQ049WklM
54 45 39 53 52 55 34 74 0d 0a 51 30 45 73 51 30    |  TE9SRU4t..Q0EsQ0
34 39 63 33 5a 73 63 47 46 6b 62 54 4d 78 4c 45    |  49c3ZscGFkbTMxLE
4e 4f 50 55 4e 45 55 43 78 44 54 6a 31 51 64 57    |  NOPUNEUCxDTj1QdW
4a 73 61 57 4d 6c 4d 6a 42 4c 5a 58 6b 6c 4d 6a    |  JsaWMlMjBLZXklMj
42 54 5a 58 4a 32 61 57 4e 6c 0d 0a 63 79 78 44    |  BTZXJ2aWNl..cyxD
54 6a 31 54 5a 58 4a 32 61 57 4e 6c 63 79 78 44    |  Tj1TZXJ2aWNlcyxD
54 6a 31 44 62 32 35 6d 61 57 64 31 63 6d 46 30    |  Tj1Db25maWd1cmF0
61 57 39 75 4c 45 52 44 50 58 70 70 62 47 78 76    |  aW9uLERDPXppbGxv
63 6d 56 75 4c 45 52 44 50 57 6c 75 0d 0a 64 43    |  cmVuLERDPWlu..dC
78 45 51 7a 31 36 62 44 39 6b 5a 57 78 30 59 56    |  xEQz16bD9kZWx0YV
4a 6c 64 6d 39 6a 59 58 52 70 62 32 35 4d 61 58    |  Jldm9jYXRpb25MaX
4e 30 50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57    |  N0P2Jhc2U/b2JqZW
4e 30 51 32 78 68 63 33 4d 39 59 31 4a 4d 0d 0a    |  N0Q2xhc3M9Y1JM..
52 47 6c 7a 64 48 4a 70 59 6e 56 30 61 57 39 75    |  RGlzdHJpYnV0aW9u
55 47 39 70 62 6e 51 77 67 64 67 47 43 53 73 47    |  UG9pbnQwgdgGCSsG
41 51 51 42 67 6a 63 56 44 67 53 42 79 6a 43 42    |  AQQBgjcVDgSByjCB
78 7a 43 42 78 4b 43 42 77 61 43 42 76 6f 61 42    |  xzCBxKCBwaCBvoaB
0d 0a 75 32 78 6b 59 58 41 36 4c 79 38 76 51 30    |  ..u2xkYXA6Ly8vQ0
34 39 57 6b 6c 4d 54 45 39 53 52 55 34 74 51 30    |  49WklMTE9SRU4tQ0
45 73 51 30 34 39 63 33 5a 73 63 47 46 6b 62 54    |  EsQ049c3ZscGFkbT
4d 78 4c 45 4e 4f 50 55 4e 45 55 43 78 44 54 6a    |  MxLENOPUNEUCxDTj
31 51 0d 0a 64 57 4a 73 61 57 4d 6c 4d 6a 42 4c    |  1Q..dWJsaWMlMjBL
5a 58 6b 6c 4d 6a 42 54 5a 58 4a 32 61 57 4e 6c    |  ZXklMjBTZXJ2aWNl
63 79 78 44 54 6a 31 54 5a 58 4a 32 61 57 4e 6c    |  cyxDTj1TZXJ2aWNl
63 79 78 44 54 6a 31 44 62 32 35 6d 61 57 64 31    |  cyxDTj1Db25maWd1
63 6d 46 30 0d 0a 61 57 39 75 4c 45 52 44 50 58    |  cmF0..aW9uLERDPX
70 70 62 47 78 76 63 6d 56 75 4c 45 52 44 50 57    |  ppbGxvcmVuLERDPW
6c 75 64 43 78 45 51 7a 31 36 62 44 39 6a 5a 58    |  ludCxEQz16bD9jZX
4a 30 61 57 5a 70 59 32 46 30 5a 56 4a 6c 64 6d    |  J0aWZpY2F0ZVJldm
39 6a 59 58 52 70 0d 0a 62 32 35 4d 61 58 4e 30    |  9jYXRp..b25MaXN0
50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57 4e 30    |  P2Jhc2U/b2JqZWN0
51 32 78 68 63 33 4d 39 59 31 4a 4d 52 47 6c 7a    |  Q2xhc3M9Y1JMRGlz
64 48 4a 70 59 6e 56 30 61 57 39 75 55 47 39 70    |  dHJpYnV0aW9uUG9p
62 6e 51 77 44 51 59 4a 0d 0a 4b 6f 5a 49 68 76    |  bnQwDQYJ..KoZIhv
63 4e 41 51 45 46 42 51 41 44 67 67 45 42 41 4a    |  cNAQEFBQADggEBAJ
51 6f 2f 78 73 4e 79 34 67 34 31 66 69 45 2b 67    |  Qo/xsNy4g41fiE+g
46 4d 31 39 62 65 59 2b 52 77 36 74 4c 61 42 52    |  FM19beY+Rw6tLaBR
34 33 58 64 45 7a 46 4d 63 61 0d 0a 72 55 74 2f    |  43XdEzFMca..rUt/
70 39 33 73 63 4c 38 63 45 4a 54 48 6d 42 54 33    |  p93scL8cEJTHmBT3
73 33 79 30 50 42 55 59 6d 35 52 58 36 6f 4c 42    |  s3y0PBUYm5RX6oLB
41 41 74 4f 42 63 5a 4b 62 33 76 77 58 47 33 2f    |  AAtOBcZKb3vwXG3/
34 72 65 71 72 6a 39 47 42 61 49 42 0d 0a 30 2b    |  4reqrj9GBaIB..0+
4f 34 66 37 43 67 4f 78 42 38 47 6d 44 32 69 42    |  O4f7CgOxB8GmD2iB
31 70 79 56 55 7a 76 52 72 44 37 65 30 69 6a 31    |  1pyVUzvRrD7e0ij1
35 63 76 6e 58 46 63 6f 75 31 34 50 45 53 6c 6f    |  5cvnXFcou14PESlo
30 2b 34 75 6b 4e 6d 42 4a 44 57 74 67 6c 0d 0a    |  0+4ukNmBJDWtgl..
45 47 46 65 6f 4e 30 78 37 2f 63 52 59 53 70 71    |  EGFeoN0x7/cRYSpq
52 44 48 71 56 59 39 75 34 69 63 44 49 7a 31 4c    |  RDHqVY9u4icDIz1L
75 78 5a 72 69 35 76 69 63 41 59 4b 62 44 69 4b    |  uxZri5vicAYKbDiK
30 4b 77 69 64 39 59 71 4b 43 63 76 2f 73 4c 37    |  0Kwid9YqKCcv/sL7
0d 0a 32 77 2b 53 7a 46 46 75 72 73 54 6c 70 2f    |  ..2w+SzFFursTlp/
36 74 4c 4d 41 72 6c 30 37 49 4f 65 52 63 51 38    |  6tLMArl07IOeRcQ8
4c 2b 6a 71 69 6e 44 30 6f 6f 62 53 5a 78 49 30    |  L+jqinD0oobSZxI0
6b 42 64 54 47 6a 6c 38 68 44 42 77 6d 6a 74 63    |  kBdTGjl8hDBwmjtc
33 63 0d 0a 6b 39 68 53 58 78 42 65 65 4d 74 74    |  3c..k9hSXxBeeMtt
53 72 33 48 6f 4c 42 63 6c 76 4d 75 78 64 77 72    |  Sr3HoLBclvMuxdwr
41 6f 52 49 48 61 64 4f 4b 52 35 54 70 52 34 3d    |  AoRIHadOKR5TpR4=
0d 0a 2d 2d 2d 2d 2d 45 4e 44 20 58 35 30 39 20    |  ..-----END X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a                      |  CRL-----..

CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!
CRYPTO_PKI: Failed to retrieve CRL for trustpoint: SSL-VPN.
  Retrying with next CRL DP...

------------------

Labels:
0 Helpful
1 Reply 1

Paulo Moreira Magalhaes
Level 1
Level 1

‎11-29-2012 09:06 AM

Hello everyone!

I've got the issue solved. The issue ware in CA CDP. I published the new http CDP, and it's working fine.

Windows CA

- At Server Manager -> Right click on Certificate Athotity object name -> click properties then extentions

- Create an extention to genearate the following URL

http://winca.pmmagalhaes.com.br/CertEnroll/WINCA.crl

- Then apply -> ok

- Under Windows PKI right click Certificate Athotity object name then Refresh

ASA

Under retrieval policy set for static a then put the url above.

It's done

Customers Also Viewed These Support Documents