Guest

Preview Tool

Cisco Bug: CSCtb41710 - ASA revocation-check to fall back to none only if CDP is unavailable

Last Modified

Feb 15, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.2(1) 9.1(6) 9.3(2) 9.4(1)

Description (partial)

Symptom:
When the ASA does not have the CRL cached, the first client authentication/certificate validation will trigger a CRL download, although if the CRL retrieval is a bit delayed [~600ms], CRL retrieval goes to the background, and the revocation-check falls back to none. i.e. a revoked certificate is allowed if the ASA does not have the CRL cached. The CRL retrieval succeeds in the background, and the CRL is cached. And this blocks the subsequent certificates that are already revoked.  

This symptom repeats when the CRL validity/cache expires.

Conditions:
ASA acting as SSLVPN or IPSec Server, where the peer/client is authenticated using certificates.
Client CA trust-point on the ASA has ''revocation-check crl none''
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.