Symptom
AnyConnect session is failing if there is no response for CRL check that is based on LDAP and option NONE is configured.
The following error message is seen in the debugs:
LDAP poll timer created PKI[4]: [269] LDAP bind api failed IO_STATUS_SERVER_DOWN
Conditions
The certificate authentication is configured for the AnyConnect
CRL is enabled
CRL check is based on LDAP and it's failing
ASA version is 9.13+
Workaround
Disable the LDAP check using the below:
(config)# crypto ca trustpoint
(config-ca-trustpoint)# crl configure
(config-ca-crl) # no protocol ldap
Further Problem Description
-The issue also affect OCSP if it's configured after CRL
-The following error is seen in the DART bundle:
******************************************
Date : 12/07/2022
Time : 10:46:02
Type : Error
Source : acvpnui
Description : Function: CTransportCurlStatic::SendRequest
File: c:\temp\build\thehoff\phoenix_mr20.53710997859\phoenix_mr2\vpn\api\ctransportcurlstatic.cpp
Line: 2140
CURL error: 28 = Operation timed out after 30001 milliseconds with 0 out of 0 bytes received
******************************************
Date : 12/07/2022
Time : 10:46:02
Type : Error
Source : acvpnui
Description : Function: CTransportCurlStatic::SendRequest
File: c:\temp\build\thehoff\phoenix_mr20.53710997859\phoenix_mr2\vpn\api\ctransportcurlstatic.cpp
Line: 2278
Invoked Function: curl_easy_perform
Return Code: -29949904 (0xFE370030)
Description: CTRANSPORT_ERROR_TIMEOUT
28 : Timeout was reached
******************************************
Date : 12/07/2022
Time : 10:46:02
Type : Error
Source : acvpnui
Description : Function: ConnectIfc::TranslateStatusCode
File: c:\temp\build\thehoff\phoenix_mr20.53710997859\phoenix_mr2\vpn\api\connectifc.cpp
Line: 3118
Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -29949904 (0xFE370030)
Description: CTRANSPORT_ERROR_TIMEOUT
Connection attempt has timed out. Please verify Internet connectivity.
******************************************
