If a CRL (Certificate Revocation List) file is manually loaded in SRX, Internet Key Exchange (IKE) VPN connections using Certificates may fail after rebooting the device or restarting the ipsec-key-management service.

The goal is to not to have any issues on IKE establishment after reboot.

If you load CRL manually as below:

You can confirm that it is loaded:


And that IKE is also established:

SRX attempts to download a new CRL based on a configured refresh-interval, even though the CRL currently loaded may still be valid based on the Next-Update time on the current CRL.

If the system is unable to download a CRL based on the refresh-interval, certificates are treated as revoked even though the certificate is not revoked based on the currently loaded CRL. This behavior is valid for both manually loaded CRLs and dynamically loaded CRLs.

Note: If a refresh-interval is not configured, the system attempts to download a new CRL upon a reboot of the device or a restart of the ipsec-key-management service.

If a CRL is loaded manually, change the default behavior by setting the following in the configuraton:

#set security configuration ca-profile example-ca revocation-check crl disable on-download-failure

If a CRL is loaded manually, the disable on-download-failure option must be used, as the administrator guarantees that the CRL present in the device is valid.

Note that this configuration option does not disable the revocation check.

However, it modifies the default behavior in such a way that even if the CRL download fails, certificates are still checked against the local CRL file for revocation status.