"syslog-ng could not retrieve CRL" error seen after configuring syslog via transport method SSL
4428
Created On 02/23/23 09:23 AM - Last Modified 04/21/25 07:37 AM
Symptom
- After setting up syslog forwarding over SSL, the connection is failing with the below system log message:
|
Syslog connection failed to server['AF_INET.xxxxx:10514.']
Syslog connection broken to server['AF_INET.xxxxx:10514.']
|
- More detailed logs can be seen in syslog-ng.log:
|
PA-5220> tail follow yes mp-log syslog-ng.log
Sep 3 13:23:18 fw01 syslog-ng[13884]: syslog-ng could not retrieve CRL; idx='0', rt1='1792', URI='http://crl.xxxxx.com/AAACertificateServices.crl'
|
Environment
- Palo Alto Firewall.
- PAN-OS 9.1 and above.
- Syslog
Cause
The error message in syslog-ng.log can appear in two scenarios:
- When CRL server is not reachable.
- When CRL server is reachable, but in CRL response there is no CRL list present.
Resolution
- Ensure that the CRL server is reachable via the management interface of the firewall.
- Ping command may be used to check for connectivity:
| PA-5220> ping host <CRL_Server_IP> PING <CRL_Server_IP> 56(84) bytes of data. 64 bytes from <CRL_Server_IP>: icmp_seq=1 ttl=117 time=2.74 ms 64 bytes from <CRL_Server_IP>: icmp_seq=2 ttl=117 time=2.69 ms |
- Netstat command can be used to check if connection is established:
| PA-5220> show netstat numeric yes programs yes | match <CRL_Server_IP> Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 <FW_IP>:2049 <CRL_Server_IP>:80 ESTABLISHED |
Note:
Additional Information
- Setting a CRL Status service route for syslog is not supported. CRL Status service route is meant mainly for PAN-OS while the functionality for syslog depends on the syslog-ng lib.
- Even if there is a service route configured for syslog to send via the dataplane interface, the CRL request will still be initiated via the management interface.
How To Setup Syslog Monitoring Over TLS