Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

CRL Timeout

Hi All,

We are facing weird issue, few of the users are able to access a particular URL and few are not. In Tracker i see the below Detect Message.

Failed to fetch CRL. Make sure the security gateway has an outgoing http access, and that the proxy and DNS servers are well configured. 

Certificate Validation: CRL Timeout 

We upgraded the firewalls to R80.30 Take 196 2 days back, is that causing the issue? Or what is the solution for this please help.

Regards,

Sanjay S

7 Replies
PhoneBoy
Admin
Admin

Are the sites HTTPS by chance?
Is HTTPS Inspection enabled?
I could see this happening if both are true since SNI is validated out of band and that does involve checking the cert and CRL.
Sanjay_S
Advisor

Yes those are https sites and https Inspection blade was enabled.

The issue was resolved after rebooting the server which was hosting the site. Thank you for your help 🙂

Nasrat
Employee
Employee

Is there an open SR for this issue?

genisis__
Collaborator

I'm seeing this in our logs,  we are not running https inspection but I see lots of entries related to "Failed to fetch CRL from the following URL"

I know the gateway can access the internet.

0 Kudos
Reply
PhoneBoy
Admin
Admin

Even without HTTPS Inspection, SNI verification is done on HTTPS sites from R80.30+.

0 Kudos
Reply
genisis__
Collaborator

Is there something I need to ensure the GW can retrieve these? or is the correct behaviour as a result of SNI verification?

0 Kudos
Reply
Chris_Atkinson
Employee
Employee

Out of interest is OCSP traffic allowed by your policy?

0 Kudos
Reply