Cisco Bug: CSCtb41710 - ASA revocation-check to fall back to none only if CDP is unavailable
Feb 10, 2017
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
8.2(1) 9.1(6) 9.3(2) 9.4(1)
Symptom: When the ASA does not have the CRL cached, the first client authentication/certificate validation will trigger a CRL download, although if the CRL retrieval is a bit delayed [~600ms], CRL retrieval goes to the background, and the revocation-check falls back to none. i.e. a revoked certificate is allowed if the ASA does not have the CRL cached. The CRL retrieval succeeds in the background, and the CRL is cached. And this blocks the subsequent certificates that are already revoked. This symptom repeats when the CRL validity/cache expires. Conditions: ASA acting as SSLVPN or IPSec Server, where the peer/client is authenticated using certificates. Client CA trust-point on the ASA has ''revocation-check crl none''
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases