Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
0
Replies

Cisco ASA 9.20.3.20 – CRL Retrieval Fails on Non-Default HTTP Ports

afad
Level 1
Level 1

‎08-26-2025 01:39 AM

After upgrading Cisco ASA from version 9.18.4.47 to 9.20.3.20, you may encounter failures in certificate revocation checking (CRL polling). While CRL validation worked reliably on earlier releases, ASA 9.20.3.20 introduces a regression that breaks CRL retrieval when the CRL Distribution Point (CDP) URL specifies a non-default HTTP port (anything other than TCP/80).

Symptoms

When a trustpoint is configured with an override CRL URL such as:

-http://crl.example.local:8888/certificate-revocation.crl

the ASA fails CRL validation with errors like:

%ASA-3-717010: Certificate chain failed validation.
%ASA-3-717012: CRL polling failed during certificate chain validation.
%ASA-3-717011: CRL polling failed for trustpoint <name>.

Debug output shows the ASA parsing the CRL URL correctly, but still attempting to send the HTTP request to port 80 instead of the specified 8888:

PKI[7]: getting -http://crl.example.local:8888/certificate-revocation.crl
capture: TCP SYN → crl.example.local:80 (not 8888)

As a result, CRL polling fails, the CDP is blacklisted, and certificate validation terminates with failure.

Workaround

Serve CRLs on Port 80
Configure the CRL distribution server or reverse proxy to publish the CRL on the default HTTP port. This avoids the parsing bug and ensures stable operation.

Hope that helps someone!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents