cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1059
Views
0
Helpful
0
Replies

CRL Polling Failed during Certificate Chain Validation

Legusol
Beginner
Beginner

We have AnyConnect set up with Certificate validation. When we have the option unchecked (disabled) "Consider the certificate valid if revocation information can not be reached" (forcing the CRL check) our clients are unable to connect and the FMC VPN troubleshooting logs show that the CRL polling is failing as shown below.

screenshot677.png

The certificate does contain a valid CDP as I can use the "certutil"  URL retrieval tool and copy the CRL ldap URL from the certificate into the tool and it returns an "OK" status as shown below. 

screenshot674.png

I also tried created a FlexConfig object with the following to see if I specified the ldap server for the CRL and that isn't working either. 

screenshot679.png

I cannot figure out why it cannot retrieve the CRL. If I enable "Consider the certificate valid if revocation information can not be reached" then the VPN connects but then any cert that was issued off the CA will connect even if the cert has been revoked.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers