cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Ryan_Ryan
Nickel

Corrupted Internal CA?

Hello, when I run this command on SmartManager "fwm printcert -ca internal_ca I get no response back, I believe its to do with the Internal CA missing or something similar.

Its causing issues when trying to enable VPN blade on all our gateways, when trying to generate a cert I get a message back "Failed to get the CA server's certificate"

Any ideas how i can confirm this is the issue and how to fix it?

11 Replies
Employee+
Employee+

Re: Corrupted Internal CA?

Check out this SK for more options: How to determine an SIC Certificate's expiration date 

Alternatively enable the webui for ICA and check that way.

Good luck

Peter !!

0 Kudos

Re: Corrupted Internal CA?

Before anything else, please run the following on your management server:

cpwd_admin list

and make sure your cpd process is up and running

0 Kudos
Ryan_Ryan
Nickel

Re: Corrupted Internal CA?

Interesting, I am not seeing it:

CPVIEWD
CPD
FWD
FWM
STPR
SVR
CPSEAD
CPWMD
CPHTTPD
SMARTLOG_SERVER
DASERVICE
CPSM

Just did a cpstart and its still not showing either. 

0 Kudos

Re: Corrupted Internal CA?

Sorry, a typo, should be cpd. Are you still experiencing the issue after cpstop | cpstart?

0 Kudos
Ryan_Ryan
Nickel

Re: Corrupted Internal CA?

Hello,

No change after stop start, still same error, anything to do with the internal CA seems to fail, also installed latest hotfix to see if it would help but no difference.

If I run this command:

cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"

There is a cert that expires in 2021, the o= matches the name of the manager. So so far this all seems ok.. 

0 Kudos

Re: Corrupted Internal CA?

Please open a support request with TAC, thank you

0 Kudos
Ryan_Ryan
Nickel

Re: Corrupted Internal CA?

After a lot of reading, it seems the only option for me is to follow sk108966.

My Default VPN cert is showing as expired 4 years ago, (cpca_client lscert -kind IKE) and I am not able to renew it.

Can anyone give me some real life experience of what resetting the SIC will actually do? Will the firewalls stop passing traffic as soon as I hit that command on the management server? We have firewalls in a cluster can I do this as a hit less procedure?

0 Kudos

Re: Corrupted Internal CA?

Once more, please open a support request. TAC engineer will help you in fixing the issue. The issue may not be related to certificate specifically. It need proper troubleshooting and action plan for resolution. 

Following the standard support procedures is the best and fastest way.

0 Kudos
Employee+
Employee+

Re: Corrupted Internal CA?

IKE is a different certificate from SIC. Resetting SIC will not resolve IKE certificate issues. Please follow Valeri's recommendation and let support have a look. This does not look anything like a configuration error.

BR

Peter !!

Ryan_Ryan
Nickel

Re: Corrupted Internal CA?

Hello TAC have confirmed to reset the SIC on the manager to fix the issue.

I am still not entirely sure what is the impact of doing this, doing it to a cluster can I avoid any outage?

0 Kudos

Re: Corrupted Internal CA?

If you are doing correctly and gradually, impact should be minimal. Ask support to assist you if any doubt. 

0 Kudos