How does a gateway pick a given cert for 2s2 vpn?

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

I just upgrade a MDS from 77.30 to 80.40. out of a quarter of a thousand gateways only 2 had problems post policy push. Both gateways (both R77.30 JH 351) were vpns in the same CMA and forced to cert base vpnd.

The given gateways have 2 certs installed. defaultCert and one for client auth portal. What we found after looking at vpnd.elg debugs was this.

defaultCert - This cert is good and I can reach the CRL. We can use this!

...

but lets keep searching!

This cert is good (client auth cert).. but I can't reach the CLR! This cert is terrible! (thanks for diamond catching the crl fetch error)

VPN FORPLAY FAILED - THIS CERT IS GARBAGE!

Thats the exact error message found in vpnd.elg if that wasn't clear (i'm pretty sure it was at least)

We added a host entry to resolve the CRL (no DNS on these) and then VPN went from down to plaid so things looked much better.

After chatting with the diamond rep neither of us were sure how it was picking the cert. In the cert list defaultCert is first in the list. Its like its saying all certs have to be valid or maybe only the last? I see the cert option on the vpn client window and we tried flipping that around but it didn't do anything. I stopped short of assassinating vpnd as there were other PSK VPNs we didn't want to mess with on this gateway, which never went down.

Also this worked fine before push from R80.40 so it seems related i'm just not sure how. Its working as is so we're fine with it for now.