This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
morris
Contributor
‎2025-02-18 02:15 AM

Main Mode Client Machine Certificate Error: Could not retrieve CRL.CN=XXX

Hi Guys,

 

we currently have one client that cannot connect via VPN. It's the only client to have that issue at the moment.

SmartConsole says:
Main Mode Client Machine Certificate Error: Could not retrieve CRL.CN=XXX

I see allowed packets in the logs. If I curl_cli the CRL-Distribution-Point and tcpdump the traffic during client-login I see encrypted

-----BEGIN X509 CRL-----
abc123
-----END X509 CRL-----

which are in both cases the same.

 

All other clients can succesful login.

Do you have any clues?

Labels
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2025-02-18 01:11 PM

Have you tried connecting to the CRL directly from the client in question (e.g. in a web browser)?
Have you tried having the client use a different ISP to see if port 18264 is possibly being blocked?

0 Kudos
morris
Contributor
‎2025-02-19 01:13 AM
In response to PhoneBoy

The client cannot access to the CRL as he is not connected yet.

Does the client perform the CRL check? I always thought it was done by the gateway. Doesn't make sense to me if the client does it. The same with port 18264. I see allowed packets between gateway and management.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-19 07:58 AM
In response to morris

Certificates are used as part of the client VPN connection, which are checked against the CRL.
Very much relevant here.

0 Kudos
morris
Contributor
‎2025-02-20 12:26 AM
In response to PhoneBoy

Yes, I understand. But who checks the certificate against the crl? The client or the gateway/management? 

All other clients can connect without any error message.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-20 05:08 AM
In response to morris

Depending on your configuration (e.g. Management is behind NAT), the client may send the CRL check through the gateway, but it's ultimately coming from the client.

0 Kudos
the_rock
Legend
Legend
‎2025-02-18 02:00 PM

If its just single client, maybe have them reboot or reinstall the client. I would test with latest one, E88.62 version. Its highly unlikely its anything on the gateway side.

Andy

0 Kudos
morris
Contributor
4 weeks ago

The VPN-Gateway seems to use another interface to get to the CRL. And that access is dropped on another gateway.

It seems a little odd to me. The client accesses the same external interface with new and legacy certificate.

We are waiting for the other team to unlock the dropped traffic.

0 Kudos
the_rock
Legend
Legend
4 weeks ago
In response to morris

Did you end up testing with the latest client, E88.62?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top