Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
191
Views
0
Helpful
3
Replies

'CRL Not current' error when trying to connect to smart licensing

geisler0815
Level 1
Level 1

‎06-02-2025 11:18 PM

Hello everyone,

about two years ago we comissioned several NCS540 routers in our network, all licensed by smart licensing via call-home. For some time now we encouter the problem that they don't report to Ciscos smart licensing anymore and they reach the state of "out-of compliance". When we look into the syslog we see a message:

http_client[388]: %SECURITY-XR_SSL-6-CERT_VERIFY_INFO : SSL Certificate verification: Certificate can be used for purpose it was meant to be
http_client[388]: %SECURITY-PKI-6-ERR_2_PARAM : Curl Perform failed: Timeout was reached
http_client[388]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Error in fetching the issuer certificate/CRL 'Crypto Engine' detected the 'warning' condition 'CRL Not current'

Not all devices are effected at the moment, but more and more devices start to show this behaviour. Of course we can simply deactivate the check of the CRL, but we don't think that can be the best solution as it could be a security risk.
What can be the cause of this problem? Was there a change in Ciscos certificates?

Yours sincerely

Labels:
0 Helpful
3 Replies 3

kmccormick
Level 1
Level 1

‎06-04-2025 02:12 PM

You likely need to upgrade your OS. There was a field notice published and the fix worked only temporarily for some reason. We eventually updated our routers and the issue went away.

https://www.cisco.com/c/en/us/support/docs/field-notices/722/fn72290.html

0 Helpful

geisler0815
Level 1
Level 1
In response to kmccormick

‎06-05-2025 12:49 AM

Hello,

a software update didn't solve it. I just updated a router (its a N540-28Z4C-SYS-D btw.) and the problem is still the same. We have that problem on all our NCS540 machines with XR versions from 7.4.2 to 24.4.2.

Yours sincerely

0 Helpful

kmccormick
Level 1
Level 1

‎06-05-2025 07:17 AM - edited ‎06-05-2025 07:18 AM

Check you call-home config.

call-home service active
call-home profile CiscoTAC-1 active
call-home profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
call-home profile CiscoTAC-1 destination transport-method email disable
call-home profile CiscoTAC-1 destination transport-method http

Check your source interface and VRF.

call-home vrf <VRF>
call-home source-interface <INTERFACE>

Make sure the source interface has access to internet.
Make sure the domain name-server is reachable can resolve URL.

domain name-server <DNS SERVER IP>
domain vrf <VRF> name-server <DNS SERVER IP>

You can do this with a ping test.

ping tools.cisco.com
ping vrf <VRF> tools.cisco.com


Other than that I would be at a loss.

0 Helpful
Customers Also Viewed These Support Documents