Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hi,We are testing cert revocation check for our anycoonect SSL vpn employees when they connect via cert only authentication. We pointed the trust point to make crl checks and assigned the url for the location of the CRL file on the CA.cache refresh t...
Dear all, We have ASA firewall which we have admin access (ssh and asdm) via TACACS+ servers in ISE (10.7.1.17, 10.7.1.18) We configured the following on the ASA: Today we performed an upgrade on the ISE and we rebooted the 10.7.1.17, for around 6 mi...
Hello, I am running ASA9.9(2)32 and i am facing sometimes the same issue, how did the issue is indicated as solved?We authenticate SSL RAVPN users against an external LDAP Database.Please advise
Dear all,We have a RA SSL anyconnect solution for our office with Tunnel all policy because we want the employees when doing home office that the internet traffic goes via company proxy servers.Everything is running smoothly except for users connecti...
Dear all, Can someone advise what is the difference between ASR-Group Vs Traffic Zones?We have 2 ASA in active/active state.We are using one Security-Context that has 2 outside sub-interfaces each with a transport VLAN.on each sub-interface we have o...
Hi Aref,I am also glad that we are moving forward What i would like to perform is a fail open (if for some reason the CA server is not reacheable, i want to allow all certificates).in previous version it was via:revocation-check crl none.now with th...
Hi Aref, quick update, the CRL revocation is now working fine as expected in my first post (if crl cache is empty and user tries to connect, ASA downloads the CRL AND check if cert is revoked!).So as u expected it seems it was a bug in 9.12.But now i...
Thanks Aref,I will wait for your feedbackAlso i noticed another issue, since i configured 2 URLs for the CRLS,The firewall is only caching the first one in the sequence and not checking at all the second CRL as written in the books. Now i have change...
Hi Aref,As stated in my initial post, the trustpoint is already configured for CRL check.The issue is occuring when the CRL cache is staled and a client tries to connect, the CRL is retrieved from the CA but CRL check becomes optional first time.Seco...
Hi Kumar, You can simply add the following command in global configuration: same-security-traffic permit intra-interface let me know if the answer was helpful
