Problem with VPN client connecting after ASA/VPN failed over to secondary

Unanswered Question
Feb 12th, 2010
User Badges:

Hello,


We have 2 ASA 5540 setup as active/standby failover setting.  The failover configuration is setup correctly and failover is successful in the event of a failure. VPN on this firewall is working successfully using certificate authentication on a windows cert server.


The problem I have is when the secondary firewall takes active, vpn users are not getting authenticated successfully.  Once we switched it back to the primary firewall, the issue is resolved. Here are the error I got on the firewall.


3    Feb 12 2010    09:45:33    717009             Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 4A3CEC210000000000BE, subject name: [email protected],cn=John Doe,ou=Org.
3    Feb 12 2010    09:45:33    717027             Certificate chain failed validation. No suitable trustpoint was found to validate chain.
3    Feb 12 2010    09:45:33    713902             Group = AMER-int, IP = x.x.x.x, Removing peer from peer table failed, no match!
4    Feb 12 2010    09:45:33    713903             Group = AMER-int, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
4    Feb 12 2010    09:45:38    713903             IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 132)


I checked the trustpoint on the secondary firewall when it was active and it was there.  is this a serial number issue or key matching issue with the FW and the certificate server?  How do I resolve this issue in case our secondary firewall takes active role again.


Thank you for your time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 02/12/2010 - 13:10
User Badges:
  • Green, 3000 points or more

Hi,


Seems there's no valid certificate for the secondary unit.


Eventhough most of the configuration is replicated from the active unit to the secondary unit, the certificates need to be generated on each unit independently.


You could have the truspoint created, but check the certificate itself on the secondary unit.


Let me know.


Federico.

Actions

This Discussion