https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/154049#M26022 <P>Checked now SK21156.</P> <P>It is in a very confusing layout and I cannot find new information. </P> <P>I already disabled "Retrieve CRL From -&gt; LDAP Servers and HTTP Servers" for the new CA Object.<BR />Pushed the policy and also changed some settings in the VPN section so that the service also reloads.<BR />I assume TAC is needed.<BR /><BR />KR<BR />David</P> Thu, 28 Jul 2022 08:04:29 GMT D_W 2022-07-28T08:04:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/153968#M25987 <P>Hello,</P> <P>we have problems using Capsule VPN and our new certificates.</P> <P>According <A href="http:// https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk179434&amp;partition=Advanced&amp;product=Remote" target="_self">sk179434</A>&nbsp; the SecGateway will check the CRL when OCSP is not available. We have a OSCP URL defined but it's not active at the moment. Issue is now that we do not see the Fallback. Gateway Version is R81.10 JHF T55.</P> <P>Do I misunderstand the sk179434?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="grafik.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17327iA6F4884585CE6931/image-size/large?v=v2&amp;px=999" role="button" title="grafik.png" alt="grafik.png" /></span></P> <P>I also tried to deactivate the validation of the CA but that seems to be ignored.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="grafik.png" style="width: 344px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17328iB899B271B32CEAAE/image-size/large?v=v2&amp;px=999" role="button" title="grafik.png" alt="grafik.png" /></span></P> <P>&nbsp;</P> <P>Any idea anyone?</P> <DIV id="tinyMceEditorD_W_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>KR<BR />David</P> <P>&nbsp;</P> Wed, 27 Jul 2022 11:57:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/153968#M25987 D_W 2022-07-27T11:57:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/153970#M25989 <P>Have you also reviewed&nbsp;sk21156 (in full) as a workaround?</P> Wed, 27 Jul 2022 12:33:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/153970#M25989 Chris_Atkinson 2022-07-27T12:33:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/154049#M26022 <P>Checked now SK21156.</P> <P>It is in a very confusing layout and I cannot find new information. </P> <P>I already disabled "Retrieve CRL From -&gt; LDAP Servers and HTTP Servers" for the new CA Object.<BR />Pushed the policy and also changed some settings in the VPN section so that the service also reloads.<BR />I assume TAC is needed.<BR /><BR />KR<BR />David</P> Thu, 28 Jul 2022 08:04:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/154049#M26022 D_W 2022-07-28T08:04:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/181154#M33134 <P>Late response but the OSCP failback does not work <SPAN>R81.10 ikev2 jumbo 79 and below</SPAN>. TAC adding fix for Ikev2 and say Ikev1 not affected<BR />If the OCSP fails to connect the Auth fails. Fix for&nbsp;sk179434 is available from TAC if not yet in Jumbo.</P> Tue, 16 May 2023 21:16:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capsule-VPN-Fallback-to-CRL-after-OCSP-is-unsuccessful/m-p/181154#M33134 spottex 2023-05-16T21:16:54Z