Can not retrieve CRL with SecureRemote\Client
Article ID: 167856
Updated On:
Products
XOS
Issue/Introduction
This article describes an issue where Check Point VPN clients can not retrieve CRLWhen trying to connect using SecureClient \ SecureRemote or Endpoint Connect, the connection fails with an error message: "Can not retrieve CRL".
SmartView Tracker shows the same error.
SmartView Tracker shows the same error.
Cause
Problem:
This issue occurs when working with end point certificates, using an external CA, and "Retrieve CRL from" feature is turned on under CA object properties.
FireWall module will communicate with the selected CA and try to retrieve the CRL.
If "Hide Cluster Members' outgoing traffic behind the cluster IP Address" is selected under "3rd part configuration", connection will be NATed to the cluster VIP.
The CA will get a request with a different IP inside the request data than the connection and may drop it.
This issue occurs when working with end point certificates, using an external CA, and "Retrieve CRL from" feature is turned on under CA object properties.
FireWall module will communicate with the selected CA and try to retrieve the CRL.
If "Hide Cluster Members' outgoing traffic behind the cluster IP Address" is selected under "3rd part configuration", connection will be NATed to the cluster VIP.
The CA will get a request with a different IP inside the request data than the connection and may drop it.
Resolution
Open the cluster object 3rd Party Configuration tab in Check Point GUI and uncheck the following two options:
1) "Forward Cluster's incoming traffic to Cluster Members' IP addresses"
2) "Hide Cluster Members' outgoing traffic behind Cluster's IP address"
1) "Forward Cluster's incoming traffic to Cluster Members' IP addresses"
2) "Hide Cluster Members' outgoing traffic behind Cluster's IP address"
Workaround
N/AAttachments
Feedback
Yes
No
Powered by
