VPN Remote Access CRLs

Unanswered Question
Jul 16th, 2010
User Badges:


Suppose I configure IPSec VPN with certificate authentication for Cisco VPN client (during IKE phase 1),

Cisco ASA is also configured with certificates from the same CA server and I am able to download CRL.

IPSec VPN is functional.

Later, I revoke VPN client certificate from CA server and I download CRL to Cisco ASA again. VPN client is still able to connect to Cisco ASA.

What am I doing wrong?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sjbdallas Fri, 07/16/2010 - 08:29
User Badges:

Did you check through the CA Certificate options under Certificate Management in the ASDM?  There are settings there related to checking for certiticate revocation and there's a checkbox to "Consider certficate valid if revocation information cannot be retrieved".  When I first set up my CA, that was on by default.

NemanjaPoprzen Sat, 07/17/2010 - 02:12
User Badges:

Option "Consider certficate valid if revocation information cannot be retrieved" is not selected. Restart of CA server solved the problem, :-D.

Thank you


This Discussion