Problem with VPN client connecting after ASA/VPN failed over to secondary
We have 2 ASA 5540 setup as active/standby failover setting. The failover configuration is setup correctly and failover is successful in the event of a failure. VPN on this firewall is working successfully using certificate authentication on a windows cert server.
The problem I have is when the secondary firewall takes active, vpn users are not getting authenticated successfully. Once we switched it back to the primary firewall, the issue is resolved. Here are the error I got on the firewall.
3 Feb 12 2010 09:45:33 717009 Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 4A3CEC210000000000BE, subject name: email@example.com,cn=John Doe,ou=Org. 3 Feb 12 2010 09:45:33 717027 Certificate chain failed validation. No suitable trustpoint was found to validate chain. 3 Feb 12 2010 09:45:33 713902 Group = AMER-int, IP = x.x.x.x, Removing peer from peer table failed, no match! 4 Feb 12 2010 09:45:33 713903 Group = AMER-int, IP = x.x.x.x, Error: Unable to remove PeerTblEntry 4 Feb 12 2010 09:45:38 713903 IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 132)
I checked the trustpoint on the secondary firewall when it was active and it was there. is this a serial number issue or key matching issue with the FW and the certificate server? How do I resolve this issue in case our secondary firewall takes active role again.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :