Why CRL will download automatically to NetScreen-Remote Client

Posted on 2009-04-30
Last Modified: 2012-05-06

I have one user who always have the CRL downloads automatically into his NetScreen-Remote client which make his current certificate (should not be renew until end of the year) become invalid.

In order to resolve it, the user have to delete the CRL manually from CRLs tab under the Juniper Certificate Manager everytime when he disconnect from company network and connect to his ISP at home. Please see attached example screen shot of Certificate Manager.

I would like to know what settings will trigger the CRL downloading? Or some other settings on XP windows will causes the download? Kindly be advised that none of our VPN users have this problem but him.

For your information,
We have our own CA and using for certificate base authenticaion which link to our AD.
Our NetScreen-remote version is 10.8.3 (Build 6) and runs on XP.

If you have the similar problem and able to resolve, I would appreciate if you could share with me.

Thank you.
Question by:FphcareEnginner

    Author Comment

    NSR Certificate Manager
    LVL 18

    Accepted Solution

    First of all, see this link for some more info on the configuring of the cert etc in SNR and on the firewall, in case there is some discrepancies here.

    Have you double checked the time and date on the firewall, the client and on the CA?  Just to make sure all are in sync?

    Regarding the client cert itself, it may be worth revoking the current cert fully,  machines via an updated CRL and then re creating the user cert and installing that.

    At the moment, I am unaware of any NSR related issues that could cause this, however generic CA and CRL problems may be contributing.
    LVL 31

    Expert Comment

    I agree with deimark - check to see if the cert is actually revoked (which may be why the CRL is giving problems...) and if not, revoke it an issue a new cert.  If it becomes a bigger issue somehow, I would suggest trying on a different box, creating a new profile, using a different smartcard, etc. in case there is corruption or underlying hardware issues.

    I highly recommend against disabling CRL checking - this is bad security practice - if you do this, why do you have certs in the first place?

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now