topic Re: Corrupted Internal CA? in Firewall and Security Management

Corrupted Internal CA?

Ryan_Ryan — Wed, 15 Aug 2018 07:06:26 GMT

Hello, when I run this command on SmartManager "fwm printcert -ca internal_ca I get no response back, I believe its to do with the Internal CA missing or something similar.

Its causing issues when trying to enable VPN blade on all our gateways, when trying to generate a cert I get a message back "Failed to get the CA server's certificate"

Any ideas how i can confirm this is the issue and how to fix it?

Re: Corrupted Internal CA?

Peter_Sandkuijl — Wed, 15 Aug 2018 07:44:18 GMT

Check out this SK for more options: How to determine an SIC Certificate's expiration date

Alternatively enable the webui for ICA and check that way.

Good luck

Peter !!

Re: Corrupted Internal CA?

_Val_ — Wed, 15 Aug 2018 13:11:00 GMT

Before anything else, please run the following on your management server:

cpwd_admin list

and make sure your cpd process is up and running

Re: Corrupted Internal CA?

Ryan_Ryan — Thu, 16 Aug 2018 00:51:53 GMT

Interesting, I am not seeing it:

CPVIEWD
CPD
FWD
FWM
STPR
SVR
CPSEAD
CPWMD
CPHTTPD
SMARTLOG_SERVER
DASERVICE
CPSM

Just did a cpstart and its still not showing either.

Re: Corrupted Internal CA?

_Val_ — Thu, 16 Aug 2018 06:44:06 GMT

Sorry, a typo, should be cpd. Are you still experiencing the issue after cpstop | cpstart?

Re: Corrupted Internal CA?

Ryan_Ryan — Fri, 17 Aug 2018 00:50:43 GMT

Hello,

No change after stop start, still same error, anything to do with the internal CA seems to fail, also installed latest hotfix to see if it would help but no difference.

If I run this command:

cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"

There is a cert that expires in 2021, the o= matches the name of the manager. So so far this all seems ok..

Re: Corrupted Internal CA?

_Val_ — Fri, 17 Aug 2018 05:48:41 GMT

Please open a support request with TAC, thank you

Re: Corrupted Internal CA?

Ryan_Ryan — Fri, 17 Aug 2018 05:50:20 GMT

After a lot of reading, it seems the only option for me is to follow sk108966.

My Default VPN cert is showing as expired 4 years ago, (cpca_client lscert -kind IKE) and I am not able to renew it.

Can anyone give me some real life experience of what resetting the SIC will actually do? Will the firewalls stop passing traffic as soon as I hit that command on the management server? We have firewalls in a cluster can I do this as a hit less procedure?

Re: Corrupted Internal CA?

_Val_ — Fri, 17 Aug 2018 05:55:42 GMT

Once more, please open a support request. TAC engineer will help you in fixing the issue. The issue may not be related to certificate specifically. It need proper troubleshooting and action plan for resolution.

Following the standard support procedures is the best and fastest way.

Re: Corrupted Internal CA?

Peter_Sandkuijl — Fri, 17 Aug 2018 07:17:00 GMT

IKE is a different certificate from SIC. Resetting SIC will not resolve IKE certificate issues. Please follow Valeri's recommendation and let support have a look. This does not look anything like a configuration error.

BR

Peter !!

Re: Corrupted Internal CA?

Ryan_Ryan — Sun, 19 Aug 2018 23:05:48 GMT

Hello TAC have confirmed to reset the SIC on the manager to fix the issue.

I am still not entirely sure what is the impact of doing this, doing it to a cluster can I avoid any outage?

Re: Corrupted Internal CA?

_Val_ — Mon, 20 Aug 2018 06:03:43 GMT

If you are doing correctly and gradually, impact should be minimal. Ask support to assist you if any doubt.