https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241691#M2393 <P>Certificates are used as part of the client VPN connection, which are checked against the CRL.<BR />Very much relevant here.</P> Wed, 19 Feb 2025 15:58:19 GMT PhoneBoy 2025-02-19T15:58:19Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241491#M2389 <P>Hi Guys,</P><P>&nbsp;</P><P>we currently have one client that cannot connect via VPN. It's the only client to have that issue at the moment.</P><P>SmartConsole says:<BR />Main Mode Client Machine Certificate Error: Could not retrieve CRL.CN=XXX</P><P>I see allowed packets in the logs. If I curl_cli the CRL-Distribution-Point and tcpdump the traffic during client-login I see encrypted</P><P>-----BEGIN X509 CRL-----<BR />abc123<BR />-----END X509 CRL-----</P><P>which are in both cases the same.</P><P>&nbsp;</P><P>All other clients can succesful login.</P><P>Do you have any clues?</P> Tue, 18 Feb 2025 10:15:34 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241491#M2389 morris 2025-02-18T10:15:34Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241579#M2390 <P>Have you tried connecting to the CRL directly from the client in question (e.g. in a web browser)?<BR />Have you tried having the client use a different ISP to see if port 18264 is possibly being blocked?</P> Tue, 18 Feb 2025 21:11:20 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241579#M2390 PhoneBoy 2025-02-18T21:11:20Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241591#M2391 <P>If its just single client, maybe have them reboot or reinstall the client. I would test with latest one, E88.62 version. Its highly unlikely its anything on the gateway side.</P> <P>Andy</P> Tue, 18 Feb 2025 22:00:38 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241591#M2391 the_rock 2025-02-18T22:00:38Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241620#M2392 <P>The client cannot access to the CRL as he is not connected yet.</P><P>Does the client perform the CRL check? I always thought it was done by the gateway. Doesn't make sense to me if the client does it. The same with port 18264. I see allowed packets between gateway and management.</P> Wed, 19 Feb 2025 09:13:29 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241620#M2392 morris 2025-02-19T09:13:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241691#M2393 <P>Certificates are used as part of the client VPN connection, which are checked against the CRL.<BR />Very much relevant here.</P> Wed, 19 Feb 2025 15:58:19 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241691#M2393 PhoneBoy 2025-02-19T15:58:19Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241747#M2394 <P>Yes, I understand. But who checks the certificate against the crl? The client or the gateway/management?&nbsp;</P><P>All other clients can connect without any error message.</P> Thu, 20 Feb 2025 08:26:16 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241747#M2394 morris 2025-02-20T08:26:16Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241774#M2395 <P>Depending on your configuration (e.g. Management is behind NAT), the client may send the CRL check through the gateway, but it's ultimately coming from the client.</P> Thu, 20 Feb 2025 13:08:21 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/241774#M2395 PhoneBoy 2025-02-20T13:08:21Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/243269#M2396 <P>The VPN-Gateway seems to use another interface to get to the CRL. And that access is dropped on another gateway.</P><P>It seems a little odd to me. The client accesses the same external interface with new and legacy certificate.</P><P>We are waiting for the other team to unlock the dropped traffic.</P> Fri, 07 Mar 2025 15:26:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/243269#M2396 morris 2025-03-07T15:26:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/243272#M2397 <P>Did you end up testing with the latest client, E88.62?</P> <P>Andy</P> Fri, 07 Mar 2025 15:59:16 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Main-Mode-Client-Machine-Certificate-Error-Could-not-retrieve/m-p/243272#M2397 the_rock 2025-03-07T15:59:16Z