BugZero | Cisco BugID CSCvz79364 - Crash when handling timeout due to a fetch of a CR...

Cisco - Defect ID: CSCvz79364

Crash when handling timeout due to a fetch of a CRL for a DNAC-CA trustpoint

Cisco - Defect ID: CSCvz79364

Crash when handling timeout due to a fetch of a CRL for a DNAC-CA trustpoint

Last updated on 4/21/2025

Overall: 88.0

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 6.96.9

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 88.0

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 6.96.9

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

The system crashes. After the crash, multiple messages each 5 seconds appear in the Syslogs, as follows: %PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint DNAC-CA failed Reason : Failed to select socket. Timeout : 5 (Connection timed out) The router is unable to fetch a CRL from the DNAC-CA trustpoint and faces a timeout of 5 seconds. or %PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint DNAC-CA failed Reason : Enrollment URL not configured

Conditions

This issue was found on an ISR 4K running 17.5.1a (others may apply). A DNAC-CA trustpoint was configured, containing a certificate that refers to a CRL Distribution Point (CDP), however the device was unable to download the CRL from the CDP, as indicated by the %PKI-3-CRL_FETCH_FAIL errors. Example of the affected configuration: crypto pki trustpoint DNAC-CA enrollment mode ra enrollment terminal usage ssl-client revocation-check crl none <<<<<<<<<<<<<<

Workaround

There are multiple potential workarounds: Workaround1: Make sure the CDP is reachable from the device, so the CRL download does not fail. Workaround2: If using Cisco DNA Center 2.3.4.0 or later to manage the device, follow these steps to disable the CRL check: 1) In the Cisco DNA Center GUI navigate to Design > Network Settings > Security and Trust, and select "Revocation - Check: None" from the dropdown. 2) Navigate to Provision > Inventory, select the device, and select Actions > Telemetry > Update Telemety Settings ; make sure the "Force Configuration Push" checkbox is checked, click Next, optionally choose when to deploy the change, and click Apply. Workaround 3: If the device is managed by Cisco DNA Center 2.3.3.x or older, or is not managed by Cisco DNA Center, then manually disable the CRL check on the device: crypto pki trustpoint DNAC-CA revocation-check none PLEASE NOTE: disabling the CRL check may weaken security. If the Cisco DNA Center certificate gets revoked and is placed on the CRL, the device will not be aware of this and will still consider the certificate as valid. Check fixed releases - bug is resolved in 17.6.6

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCvk32563
Catalyst 9400 cmand memory leak
9.65Defect ID: CSCwf08698
Cat9k Crashes Unexpectedly due to a Fault in the 'TLSCLIENT_PROCESS'
9.65Defect ID: CSCwk61938
ISE Evaluate OpenSSH CVE-2024-6387 "regreSSHion"
9.65Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
9.65Defect ID: CSCvd48893
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvz79364

Crash when handling timeout due to a fetch of a CRL for a DNAC-CA trustpoint

Cisco - Defect ID: CSCvz79364

Crash when handling timeout due to a fetch of a CRL for a DNAC-CA trustpoint

Last updated on 4/21/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?