SSL VPN
Reply
Contributor
PhillyEagles
Posts: 23
Registered: ‎12-10-2007
0
Accepted Solution

Can't seem to retrieve the CRL from the distribution point....?

I'm having a problem with the IVE, where it can't seem to retrieve the CRL from the distribution point.

 

There are several options that has been presented to the IVE, (both fail).  Option 1 is via LDAP and option 2 is via HTTP.  I've been trying to use the HTTP method but it is failing.  The error just says "Failed, Failed to connect."  I've opened a ticket but so far no dice.

 

Any one?

ben
Contributor
Posts: 126
Registered: ‎12-06-2007
0

Re: Can't seem to retrieve the CRL from the distribution point....?

did you try to take a look on what's happening with tcpdump?

Maybe the connection to your CA is not working at all or anything similar...

 

Does your SA take the URL specified in the CA Cert or a manually defined one? 

Contributor
PhillyEagles
Posts: 23
Registered: ‎12-10-2007
0

Re: Can't seem to retrieve the CRL from the distribution point....?

Ben,  You are correct.  I finally looked at my TCPDump.  I was pointing to the wrong server with an incorrect host entry.  I fixed that.    So, now that I'm pointing to the right server I see the CRL list coming to the IVE.  The IVE sends an "Ack" for receipt of the data,(TCPDump), but in the Event Log it states that there is a verification error.  I turned off the option to "Verify Trusted Client CA".  Still get the same error.
Contributor
PhillyEagles
Posts: 23
Registered: ‎12-10-2007
0

Re: Can't seem to retrieve the CRL from the distribution point....?

Finally Success!   Working with JTAC paid off.  Turns out the reason the IVE could not verify the CRL was the copy of the Root CA did have the CRL information in it.  The copy of the Issuing CA to verify the clients had the CRL info but would not import, ("missing Root or CA information" error).  So, I was able to import an intermediate certificate, (copy of the root); then I was able to import a copy of the trusted Issuing CA under Trusted Client Certificates.  At that point I was able to download the CRL and verify the CRL it. 

 

I also tested revoking a certificate and forcing the realm to check for revoked certs and it work.   Thanks to all who have assisted with this task!   :-) 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.