Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor

Corrupted Internal CA?

Hello, when I run this command on SmartManager "fwm printcert -ca internal_ca I get no response back, I believe its to do with the Internal CA missing or something similar.

Its causing issues when trying to enable VPN blade on all our gateways, when trying to generate a cert I get a message back "Failed to get the CA server's certificate"

Any ideas how i can confirm this is the issue and how to fix it?

11 Replies
Peter_Sandkuijl
Employee
Employee

Check out this SK for more options: How to determine an SIC Certificate's expiration date 

Alternatively enable the webui for ICA and check that way.

Good luck

Peter !!

0 Kudos
_Val_
Admin
Admin

Before anything else, please run the following on your management server:

cpwd_admin list

and make sure your cpd process is up and running

0 Kudos
Ryan_Ryan
Advisor

Interesting, I am not seeing it:

CPVIEWD
CPD
FWD
FWM
STPR
SVR
CPSEAD
CPWMD
CPHTTPD
SMARTLOG_SERVER
DASERVICE
CPSM

Just did a cpstart and its still not showing either. 

0 Kudos
_Val_
Admin
Admin

Sorry, a typo, should be cpd. Are you still experiencing the issue after cpstop | cpstart?

0 Kudos
Ryan_Ryan
Advisor

Hello,

No change after stop start, still same error, anything to do with the internal CA seems to fail, also installed latest hotfix to see if it would help but no difference.

If I run this command:

cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"

There is a cert that expires in 2021, the o= matches the name of the manager. So so far this all seems ok.. 

0 Kudos
_Val_
Admin
Admin

Please open a support request with TAC, thank you

0 Kudos
Ryan_Ryan
Advisor

After a lot of reading, it seems the only option for me is to follow sk108966.

My Default VPN cert is showing as expired 4 years ago, (cpca_client lscert -kind IKE) and I am not able to renew it.

Can anyone give me some real life experience of what resetting the SIC will actually do? Will the firewalls stop passing traffic as soon as I hit that command on the management server? We have firewalls in a cluster can I do this as a hit less procedure?

0 Kudos
_Val_
Admin
Admin

Once more, please open a support request. TAC engineer will help you in fixing the issue. The issue may not be related to certificate specifically. It need proper troubleshooting and action plan for resolution. 

Following the standard support procedures is the best and fastest way.

0 Kudos
Peter_Sandkuijl
Employee
Employee

IKE is a different certificate from SIC. Resetting SIC will not resolve IKE certificate issues. Please follow Valeri's recommendation and let support have a look. This does not look anything like a configuration error.

BR

Peter !!

Ryan_Ryan
Advisor

Hello TAC have confirmed to reset the SIC on the manager to fix the issue.

I am still not entirely sure what is the impact of doing this, doing it to a cluster can I avoid any outage?

0 Kudos
_Val_
Admin
Admin

If you are doing correctly and gradually, impact should be minimal. Ask support to assist you if any doubt. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events