- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: CRL Fetching recommendation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CRL Fetching recommendation
Hi @ all,
this week I reinstalled our Management Node with a fresh installation of R80.20.M2.
During the installation / configuration the mangement Node was down for some hours.
During this time we lost connection to different IPSec tunnels between our Checkpoint Appliances (SMB 1400 / 1100).
After the management node was up again, they came all back after some time.
I think this Problem is caused, because CRL - Fetching ist set to fetch new CRL after 24h.
My question would be now, if it could cause a Problem when I set CRL - Fetching to a higher value (for example: 5 days). In case of a big management issue (hardware fault, big configuration issues,...) I think we could run there into a big issue if all of our tunnels will go down within 24h.
So does anybody know if this cold have any side effects when I set CRL Fetching to 120h?
Thanks.
Florian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The most obvious thing is your gateways will accept certificates that are revoked for longer than they would normally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Phoneboy, Hi @the_rock
if you yall could help me out with this please.
how can we check when the CRL cache will expire on the gateway please ? because we have some maintenance to do on the SMS and we are afraid that the gateway cache will expire just right when the SMS is down.
by default the cache expiry is set to 24 hours but when will that 24h begin and end ?
the command :
vpn crlview -obj <MyObj> -cert <MyCert>
does not show the cache expiry on the gateway but rather fetches the CRL from the CA.
the output of the above command gives the impression that the cache expiry is 7 days when we actually set to 24 so I doubt that those dates are for the cache expiry.
output :
[Expert@G2:0]# vpn crlview -obj GW-194 -cert defaultCert
1 X509 CRLs
Issuer: O=Reporter-196..7ddn8g
This update: Sun Jun 21 14:05:10 2015 Local Time
Next update: Sun Jun 28 14:05:10 2015 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://Reporter-196:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=Reporter-196..7ddn8g
thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont believe you would have that issue, but since Gaia is based on Linux, this link may help.
Andy
https://stackoverflow.com/questions/20918695/how-to-check-expiration-date-of-crl-file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Andy,
thank you for your response.
the command in the link specify to locate the certificate file which is actually located on the management server and not the gateway. nonetheless I ran taht command on the gateway
openssl crl -in ICA_CRL1.crl -text
but has returned "command not found"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe the 24 hours is from the last VPN rekey.
In any case, if you're looking for a precise answer here, I suggest TAC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version? Works fine in my lab.
Andy
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #53551
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #56088
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #98453
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #96337
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #68546
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #79661
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #83554
Revoked at Sat Aug 31 11:41:23 2024 Local Time
[Expert@CP-GW:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Simo
I just came across this post. It seems this doesn't show the CRL cache, it shows the CRL lifetime which is 7 days. The CRL cache is normally set to 24 hours. Do you know how to check the CRL cache on the gateway?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will check later myself in the lab too.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will enable ICA mgmt tool on my mgmt server, as I had to build new lab recently, but below does give some info, its not perfect, but appears to be accurate.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I tried that. It downloads the CRL file which shows the 7 day timeout as well. the same as the command:
vpn crlview -obj CP-GW -cert defaultCert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could not find how to check the current validity of the CRL cache on the gateway. but we can reset the cache on the gateway meaning that we can reset that 24h and would then know when it begins and when it ends.
the below command would clear the cache on the gateway and the other one would fetch it
# vpn crl_zap
to fetch the CRL from SMS and start the 24h
# vpn crlview -obj CP-GW -cert defaultCert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, you are 100% right. I will continue to check in the lab.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK thank your for that information. So nothing else should happen when this option will changed but when management server will be down I will have more time to solve the problem before all tunnels go down. Is this right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I undertstand it, you are correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following article describes what is the flow and the reason of VPN outages if CRL cannot be fetched from management:
VPNs go down within 24 hours after primary Security Management server goes down.
Do you have only one management without HA ?
I suspect that VPN outage was between gateways managed from the same management server / domain. These gateways use certificates (somehow related to CRL), instead of Shared Secret.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I have seen this article. We only have one SMS. The issue is the VPNs went down after only a few hours of it being down.
After some troubleshooting I have noticed that they started going down roughly at the time shown in output of the command listed above:
(vpn crlview -obj CP-GW -cert defaultCert)
Specifically the time shown as "Revoked at" :
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Output copied from post above:
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey mate,
I will do little more digging, but after I enabled ICA mgmt tool, I tested below.
Andy
[Expert@CP-GW:0]# vpn crlview -obj CP-GW
Error: certificate object name is missing
Usage: vpn crlview -obj <network object> -cert <certobj>
or: vpn crlview -f <certfile>
or: vpn crlview -view <crlfile>
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Wed Sep 4 14:47:58 2024 Local Time
Next update: Wed Sep 11 14:47:58 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #56088
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #53551
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #96337
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #79661
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #80817
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #68546
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #83554
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #17845
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #98453
Revoked at Wed Sep 4 14:47:58 2024 Local Time
[Expert@CP-GW:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that looks handy, how did you do that? Unfortunately from the screenshot it only shows the lifetime of the cert (in years)
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an sk to enable ICA tool on mgmt, it takes literally 5 mins, super easy. Once you log in on port 18265, you see that menu, but Im trying to figure out if there is a setting to see the crl validity.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downloaded 2 .crl files from ica mgmt tool, so trying to see if I can "extract" anything from there. @velo , since I cant attach them here, if you want, we can connect offline and I can share them, see if we can figure something out. Its a lab anyway, so nothing secretive haha
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, sent a DM 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just responded.