Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with VPN client connecting after ASA/VPN failed over to secondary


We have 2 ASA 5540 setup as active/standby failover setting.  The failover configuration is setup correctly and failover is successful in the event of a failure. VPN on this firewall is working successfully using certificate authentication on a windows cert server.

The problem I have is when the secondary firewall takes active, vpn users are not getting authenticated successfully.  Once we switched it back to the primary firewall, the issue is resolved. Here are the error I got on the firewall.

3    Feb 12 2010    09:45:33    717009             Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 4A3CEC210000000000BE, subject name:,cn=John Doe,ou=Org.
3    Feb 12 2010    09:45:33    717027             Certificate chain failed validation. No suitable trustpoint was found to validate chain.
3    Feb 12 2010    09:45:33    713902             Group = AMER-int, IP = x.x.x.x, Removing peer from peer table failed, no match!
4    Feb 12 2010    09:45:33    713903             Group = AMER-int, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
4    Feb 12 2010    09:45:38    713903             IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 132)

I checked the trustpoint on the secondary firewall when it was active and it was there.  is this a serial number issue or key matching issue with the FW and the certificate server?  How do I resolve this issue in case our secondary firewall takes active role again.

Thank you for your time.


Re: Problem with VPN client connecting after ASA/VPN failed over


Seems there's no valid certificate for the secondary unit.

Eventhough most of the configuration is replicated from the active unit to the secondary unit, the certificates need to be generated on each unit independently.

You could have the truspoint created, but check the certificate itself on the secondary unit.

Let me know.


CreatePlease to create content