This article describes an issue where Check Point VPN clients can not retrieve CRLWhen trying to connect using SecureClient \ SecureRemote or Endpoint Connect,  the connection fails with an error message: "Can not retrieve CRL".

SmartView Tracker shows the same error.

Problem:

This issue occurs when working with end point certificates, using an external CA, and "Retrieve CRL from" feature is turned on under CA object properties.



FireWall module will communicate with the selected CA and try to retrieve the CRL.
If "Hide Cluster Members' outgoing traffic behind the cluster IP Address" is selected under "3rd part configuration", connection will be NATed to the cluster VIP.
The CA will get a request with a different IP inside the request data than the connection and may drop it.

Open the cluster object 3rd Party Configuration tab in Check Point GUI and uncheck the following two options:

1) "Forward Cluster's incoming traffic to Cluster Members' IP addresses"
2) "Hide Cluster Members' outgoing traffic behind Cluster's IP address" 



 

Workaround