I just upgrade a MDS from 77.30 to 80.40. out of a quarter of a thousand gateways only 2 had problems post policy push. Both gateways (both R77.30 JH 351) were vpns in the same CMA and forced to cert base vpnd.
The given gateways have 2 certs installed. defaultCert and one for client auth portal. What we found after looking at vpnd.elg debugs was this.
defaultCert - This cert is good and I can reach the CRL. We can use this!
...
but lets keep searching!
This cert is good (client auth cert).. but I can't reach the CLR! This cert is terrible! (thanks for diamond catching the crl fetch error)
VPN FORPLAY FAILED - THIS CERT IS GARBAGE!
Thats the exact error message found in vpnd.elg if that wasn't clear (i'm pretty sure it was at least)
We added a host entry to resolve the CRL (no DNS on these) and then VPN went from down to plaid so things looked much better.
After chatting with the diamond rep neither of us were sure how it was picking the cert. In the cert list defaultCert is first in the list. Its like its saying all certs have to be valid or maybe only the last? I see the cert option on the vpn client window and we tried flipping that around but it didn't do anything. I stopped short of assassinating vpnd as there were other PSK VPNs we didn't want to mess with on this gateway, which never went down.
Also this worked fine before push from R80.40 so it seems related i'm just not sure how. Its working as is so we're fine with it for now.