Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IKE establishment fails after SRX reboots if a CRL is loaded manually



Article ID: KB28736 KB Last Updated: 23 Apr 2014Version: 1.0

If a CRL (Certificate Revocation List) file is manually loaded in SRX, Internet Key Exchange (IKE) VPN connections using Certificates may fail after rebooting the device or restarting the ipsec-key-management service.


The goal is to not to have any issues on IKE establishment after reboot.

If you load CRL manually as below:

root@srx> request security pki crl load ca-profile example-ca filename crl.txt

You can confirm that it is loaded:

root@srx> show security pki crl
CA profile: example-ca
CRL version: V00000001
CRL issuer: C = NL, ST = CA State, L = Amsterdam, O = CA Example LTD, OU = CA Org, CN =, emailAddress =
Effective date: 01-16-2014 14:37 UTC
Next update: 02-15-2014 14:37 UTC

And that IKE is also established:

root@srx> show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6402175 UP 2583d5357c288768 24086b8dfb039138 Main

SRX attempts to download a new CRL based on a configured refresh-interval, even though the CRL currently loaded may still be valid based on the Next-Update time on the current CRL.

If the system is unable to download a CRL based on the refresh-interval, certificates are treated as revoked even though the certificate is not revoked based on the currently loaded CRL. This behavior is valid for both manually loaded CRLs and dynamically loaded CRLs.

Note: If a refresh-interval is not configured, the system attempts to download a new CRL upon a reboot of the device or a restart of the ipsec-key-management service.


If a CRL is loaded manually, change the default behavior by setting the following in the configuraton:

#set security configuration ca-profile example-ca revocation-check crl disable on-download-failure

If a CRL is loaded manually, the disable on-download-failure option must be used, as the administrator guarantees that the CRL present in the device is valid.

Note that this configuration option does not disable the revocation check.

However, it modifies the default behavior in such a way that even if the CRL download fails, certificates are still checked against the local CRL file for revocation status.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search