GlobalProtect takes more time to establish the tunnel when URLs for CRL Distribution Point (CDP) are inaccessible

GlobalProtect takes more time to establish tunnel than expected with the following situation:

• Users cannot access the Internet before connecting to GlobalProtect.
• The certificate that is used for GlobalProtect Portal/Gateway has CRL Distribution Point (CDP).

  > openssl x509 -in cert.pem -noout -text
  Certificate:
  ...
              X509v3 Extended Key Usage:
                  TLS Web Server Authentication, TLS Web Client Authentication
              X509v3 CRL Distribution Points:
  
                  Full Name:
                    URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
  
                  Full Name:
                    URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
  
              X509v3 Certificate Policies:
                  Policy: 2.23.140.1.2.2
                    CPS: http://www.digicert.com/CPS
  
              Authority Information Access:
                  OCSP - URI:http://ocsp.digicert.com
                  CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
  ...

• Palo Alto Firewalls
• GlobalProtect App
• CRL Distribution Point (CDP)

When the server certificate for GlobalProtect Portal/Gateway has CDP information, following behavior is observed:

• GlobalProtect App will access those URLs to verify the server certificate.
• If GlobalProtect App cannot access those URLs, it gets timed out; which leads to GlobalProtect taking more time to establish the tunnel.

1. CRL checks are performed by GlobalProtect app on the client machines.
2. Make sure CRL Distribution Points are reachable to verify revocation status of the server certificate during portal or gateway connection.