Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nagaraja_cs
Contributor
Jump to solution

Certificate based VPN issue

Hi Team,

We have a Management server HA configured.
Both the management servers(A & B) are at different locations and connected through MPLS.
We have multiple gateways managed by these mgmt servers.
All the gateways are connected through Site-to-Site VPN.
Primary Mgmt server A is responsible for CA.This certifcate is used for VPN tunnels authorization.
Our primary server A went down,we have made secondary server B as active and promoted it to primary,renewed VPN certificate but still we see the certificate of A.
I have a set of queries here:
1)When primary mgmt server A goes down,do we need to make secondary mgmt server B as active manually ?
2)Since A is the Certificate authority,what happens for our VPN tunnels ?
3)How does all the gateways come to know that primary A is dead and should reach to Secondary B.
4)Is there a policy installation required for all the gateways if there is a failover in mgmt server ?

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin

Management HA pair shares the same CA root certificate with the data of the original server details. there is no need to change that even if you changed Primary and Secondary role. Resetting ICA will invalidate all SIC and certificates signed with root. 

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
It should still be A in this case.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
The CA is synced between primary and backup like everything else.
The CA key always shows as the primary manager even when secondary is active.
I believe both systems are listed in the CRL, which means both should be checked.
It therefore should not impact VPNs unless BOTH managers are down.
0 Kudos
nagaraja_cs
Contributor

Hi Phoneboy,

 

Thanks for the reply.We have promoted B server as a primary server and renewed the VPN certificate.Still it shows A server certificate.

If we regenerate the ICA with B server as a primary,which certificate it will show ?  

Or it will always shows the first installed server certificate in either cases(If A primary or with B as primary) 

 

0 Kudos
_Val_
Admin
Admin

Management HA pair shares the same CA root certificate with the data of the original server details. there is no need to change that even if you changed Primary and Secondary role. Resetting ICA will invalidate all SIC and certificates signed with root. 

0 Kudos
nagaraja_cs
Contributor

Hi Valeri,

 

Thanks for the reply.

Currently server A is the certificate issuer,if we reset SIC or if we re-generate ICA(with B as primary),who will be the certificate issuer ?

0 Kudos
PhoneBoy
Admin
Admin
It should still be A in this case.
0 Kudos
nagaraja_cs
Contributor

Hi Phoneboy,

Thanks for the reply.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events