cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
nagaraja_cs
Nickel

Certificate based VPN issue

Jump to solution

Hi Team,

We have a Management server HA configured.
Both the management servers(A & B) are at different locations and connected through MPLS.
We have multiple gateways managed by these mgmt servers.
All the gateways are connected through Site-to-Site VPN.
Primary Mgmt server A is responsible for CA.This certifcate is used for VPN tunnels authorization.
Our primary server A went down,we have made secondary server B as active and promoted it to primary,renewed VPN certificate but still we see the certificate of A.
I have a set of queries here:
1)When primary mgmt server A goes down,do we need to make secondary mgmt server B as active manually ?
2)Since A is the Certificate authority,what happens for our VPN tunnels ?
3)How does all the gateways come to know that primary A is dead and should reach to Secondary B.
4)Is there a policy installation required for all the gateways if there is a failover in mgmt server ?

0 Kudos
2 Solutions

Accepted Solutions

Re: Certificate based VPN issue

Jump to solution

Management HA pair shares the same CA root certificate with the data of the original server details. there is no need to change that even if you changed Primary and Secondary role. Resetting ICA will invalidate all SIC and certificates signed with root. 

0 Kudos
Admin
Admin

Re: Certificate based VPN issue

Jump to solution
It should still be A in this case.
0 Kudos
6 Replies
Admin
Admin

Re: Certificate based VPN issue

Jump to solution
The CA is synced between primary and backup like everything else.
The CA key always shows as the primary manager even when secondary is active.
I believe both systems are listed in the CRL, which means both should be checked.
It therefore should not impact VPNs unless BOTH managers are down.
0 Kudos
nagaraja_cs
Nickel

Re: Certificate based VPN issue

Jump to solution

Hi Phoneboy,

 

Thanks for the reply.We have promoted B server as a primary server and renewed the VPN certificate.Still it shows A server certificate.

If we regenerate the ICA with B server as a primary,which certificate it will show ?  

Or it will always shows the first installed server certificate in either cases(If A primary or with B as primary) 

 

0 Kudos

Re: Certificate based VPN issue

Jump to solution

Management HA pair shares the same CA root certificate with the data of the original server details. there is no need to change that even if you changed Primary and Secondary role. Resetting ICA will invalidate all SIC and certificates signed with root. 

0 Kudos
nagaraja_cs
Nickel

Re: Certificate based VPN issue

Jump to solution

Hi Valeri,

 

Thanks for the reply.

Currently server A is the certificate issuer,if we reset SIC or if we re-generate ICA(with B as primary),who will be the certificate issuer ?

0 Kudos
Admin
Admin

Re: Certificate based VPN issue

Jump to solution
It should still be A in this case.
0 Kudos
nagaraja_cs
Nickel

Re: Certificate based VPN issue

Jump to solution

Hi Phoneboy,

Thanks for the reply.

0 Kudos