Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3000: Certificates: CRL


When you retrieve a certificate from a CA server trough SCEP, you can specify ldap value for CRL request.

What happens when:

1° The CA server is down

2° Does the VPN 3000 issue a request each time a client makes a connection ?

3° Is there a way to force a CRL request ?



Re: VPN 3000: Certificates: CRL

Often times complex configuration/troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit and to open a case with one of our TAC engineers, visit

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

New Member

Re: VPN 3000: Certificates: CRL

We have a similar setup to the one described and here are the As to U Qs:

1. If you have CRL checking on the VPN 3K and the CA server is down you have a few scenarios:

1.1The Concentrator still have a valid CRL and have not expired, then it will validate peers as normal.

1.2 The VPN 3K does not have a CRL and then can not validate peers certificates agains the CA's CRL, then it will not allow peer to connect.

1.3 It has a CRL but expired, apply same scenario as 1.2

2. No the concentrator holds a CRL until it is expired or forced to renew it.

3. Try rebooting the concentrator

I hope it helps


CreatePlease login to create content