We have 2 ASA 5540 setup as active/standby failover setting. The failover configuration is setup correctly and failover is successful in the event of a failure. VPN on this firewall is working successfully using certificate authentication on a windows cert server.
The problem I have is when the secondary firewall takes active, vpn users are not getting authenticated successfully. Once we switched it back to the primary firewall, the issue is resolved. Here are the error I got on the firewall.
3 Feb 12 2010 09:45:33 717009 Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 4A3CEC210000000000BE, subject name: [email protected],cn=John Doe,ou=Org.
3 Feb 12 2010 09:45:33 717027 Certificate chain failed validation. No suitable trustpoint was found to validate chain.
3 Feb 12 2010 09:45:33 713902 Group = AMER-int, IP = x.x.x.x, Removing peer from peer table failed, no match!
4 Feb 12 2010 09:45:33 713903 Group = AMER-int, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
4 Feb 12 2010 09:45:38 713903 IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 132)
I checked the trustpoint on the secondary firewall when it was active and it was there. is this a serial number issue or key matching issue with the FW and the certificate server? How do I resolve this issue in case our secondary firewall takes active role again.
Thank you for your time.