Symptom
A certificate validation fails when CRL is not available even though it should fall back to none.
Conditions
The issue was found in IOS-XE 16.6.4.
Revocation check configured to use CRL and fall back to "none" if needed: "revocation-check crl none".
CRL cannot be verified (CDP URL was not reachable in the investigated case).
Workaround
Configure "revocation-check none".
Make sure CRL can be verified successfully.
Further Problem Description
The issue may affect other software releases.
