VPN Remote Access CRLs

Unanswered Question
Jul 16th, 2010

Hi,

Suppose I configure IPSec VPN with certificate authentication for Cisco VPN client (during IKE phase 1),

Cisco ASA is also configured with certificates from the same CA server and I am able to download CRL.

IPSec VPN is functional.

Later, I revoke VPN client certificate from CA server and I download CRL to Cisco ASA again. VPN client is still able to connect to Cisco ASA.

What am I doing wrong?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sjbdallas Fri, 07/16/2010 - 08:29

Did you check through the CA Certificate options under Certificate Management in the ASDM?  There are settings there related to checking for certiticate revocation and there's a checkbox to "Consider certficate valid if revocation information cannot be retrieved".  When I first set up my CA, that was on by default.

NemanjaPoprzen Sat, 07/17/2010 - 02:12

Option "Consider certficate valid if revocation information cannot be retrieved" is not selected. Restart of CA server solved the problem, :-D.

Thank you

Actions

This Discussion