AnsweredAssumed Answered

Certificate defaultCert cannot be validated; Reason: Could not retrieve CRL

Question asked by 382ebafb-1684-4a9a-a883-d718abdbc04c on Jan 13, 2019
Latest reply on Jan 18, 2019 by 382ebafb-1684-4a9a-a883-d718abdbc04c

Hi-

We are seeing this alert every two hours on an open server HA cluster (77.30).  Out mgmt server is 80.10 (VM) and other clusters in the environment are all 80.10, also open servers.  I've confirmed the cluster throwing the alert can reach the mgmt server.  We use this cluster, in part, to collect logs from two Windows Identity Collector servers and this seems to have started at the same time those were stood up.  Based on the alert log detail we enabled the VPN blade (it was not enabled previously), renewed the certificate, and disabled the VPN blade (pushing policy along the way).  This cluster has never been used as part of VPN proper.  Curious to know if folks have thoughts on a potential cause or what I may be able to collect to further investigate?  Thank you.  

 

emailed error message

HeaderDateHour: 13Jan2019 15:31:14; ContentVersion: 1; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: N/A; Action: keyinst; Origin: Firewall6; IfDir: >; InterfaceName: daemon; Alert: useralert; OriginSicName: N/A; OriginSicName: ; HighLevelLogKey: 18446744073709551615; scheme:: NA; Validation log:: Certificate defaultCert cannot be validated.; Reason:: Could not retrieve CRL.; Serial num:: ; DN:: CN=EProdCluster VPN Certificate,O=mgmt101.domainname.com.hppeee ; Instruction:: If this log persists, contact the CA administrator.; fw_subproduct: VPN-1; vpn_feature_name: IKE; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

 

HeaderDateHour: 13Jan2019 15:31:17; ContentVersion: 1; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: N/A; Action: keyinst; Origin: Firewall7; IfDir: >; InterfaceName: daemon; Alert: useralert; OriginSicName: N/A; OriginSicName: ; HighLevelLogKey: 18446744073709551615; scheme:: NA; Validation log:: Certificate defaultCert cannot be validated.; Reason:: Could not retrieve CRL.; Serial num:: ; DN:: CN=EProdCluster VPN Certificate,O=mgmt101.domainname.com.hppeee ; Instruction:: If this log persists, contact the CA administrator.; fw_subproduct: VPN-1; vpn_feature_name: IKE; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

 

Outcomes