Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
3
Replies

CRL cache questions

Peter Zsiros
Level 1
Level 1

‎07-07-2016 08:28 AM

Hi,

I would like to ask for some explanation about CRL caching.
Due to migration to CA2 we reviked a lot of certificates on CA1 hence the CRL size is now ~89 kB (as you can see in the output below).

Should we increase the CRL cache size?
Is it a huge performance loss not to have the CRL cached?

DMVPN-ASR# sh crypto pki crls
CRL Issuer Name:
e=CA1
LastUpdate: 15:09:01 CET Jul 6 2016
NextUpdate: 15:09:01 CET Jul 9 2016

CRL downloaded at: 15:12:47 CET Jul 6 2016

Retrieved from CRL Distribution Point:
http://crl1.intranet.local/crl.cgi

CRL DER is 89660 bytes

*************************************************************
*****CRL IN CACHE ENTRY IS MISSING HERE *****
*************************************************************

CRL Issuer Name:
e=CA2
LastUpdate: 07:09:01 CET Jul 6 2016
NextUpdate: 07:09:01 CET Jul 9 2016

CRL downloaded at: 07:09:19 CET Jul 6 2016

Retrieved from CRL Distribution Point:
http://crl2.intranet.local/crl.cgi

CRL DER is 2573 bytes
CRL is stored in parsed CRL cache

Parsed CRL cache current size is 2573 bytes
Parsed CRL cache maximum size is 65536 bytes

thanks,
Peter

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎07-07-2016 04:08 PM

Hi

the default cache size is 512 kilobytes.

you can extended by using the command crypto pki crl cache xxxx ==> value is in kilobytes.

When you cache, the check performance is increased. You can even set the timer when the router has to download crl file.

Here a link that talks about timers/memory:

http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/public-key-infrastructure-pki/product_data_sheet0900aecd80313df4.pdf

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Peter Zsiros
Level 1
Level 1
In response to Francesco Molino

‎07-08-2016 01:47 AM

Hi,

Yes, i have seen that info.
If the default CRL cache is 512 kBytes then why did this device stopped caching our CRL when it went above 64 kBytes?
We did not set any CRL cache size manually, so it should use the 512 default.

And there is 'Parsed CRL cache maximum size is 65536 bytes' should not it be 512 kB?

Cisco ASR1004 (RP2)
15.4(3)S4 or in other numbering: 03.13.04.S

thanks.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Peter Zsiros

‎07-08-2016 04:43 AM

Hi

I don't knownwhy the limit is different and maybe a debug coukd show us why it's not downloading more than 64k. 

I didn't found any cisco asr docs that says what is the default limit. 

If you're a partner you may ask cisco through the partner Helpline tool to know the default behaviour and limit size. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents