Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1639
Views
0
Helpful
0
Replies

CRL Polling Failed during Certificate Chain Validation

Legusol
Level 1
Level 1

‎05-20-2022 12:15 PM - edited ‎05-20-2022 12:21 PM

We have AnyConnect set up with Certificate validation. When we have the option unchecked (disabled) "Consider the certificate valid if revocation information can not be reached" (forcing the CRL check) our clients are unable to connect and the FMC VPN troubleshooting logs show that the CRL polling is failing as shown below.

screenshot677.png

The certificate does contain a valid CDP as I can use the "certutil"  URL retrieval tool and copy the CRL ldap URL from the certificate into the tool and it returns an "OK" status as shown below. 

screenshot674.png

I also tried created a FlexConfig object with the following to see if I specified the ldap server for the CRL and that isn't working either. 

screenshot679.png

I cannot figure out why it cannot retrieve the CRL. If I enable "Consider the certificate valid if revocation information can not be reached" then the VPN connects but then any cert that was issued off the CA will connect even if the cert has been revoked.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents