Can not retrieve CRL with SecureRemote\Client

book

Article ID: 167856

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article describes an issue where Check Point VPN clients can not retrieve CRLWhen trying to connect using SecureClient \ SecureRemote or Endpoint Connect,  the connection fails with an error message: "Can not retrieve CRL".

SmartView Tracker shows the same error.

Cause

Problem:

This issue occurs when working with end point certificates, using an external CA, and "Retrieve CRL from" feature is turned on under CA object properties.

User-added image

FireWall module will communicate with the selected CA and try to retrieve the CRL.
If "Hide Cluster Members' outgoing traffic behind the cluster IP Address" is selected under "3rd part configuration", connection will be NATed to the cluster VIP.
The CA will get a request with a different IP inside the request data than the connection and may drop it.

Resolution

Open the cluster object 3rd Party Configuration tab in Check Point GUI and uncheck the following two options:

1) "Forward Cluster's incoming traffic to Cluster Members' IP addresses"
2) "Hide Cluster Members' outgoing traffic behind Cluster's IP address" 

User-added image

 

Workaround

N/A

Attachments