Last night, I had a customer's gateway fail VPN authentication suddenly. A quick VPN debug showed the IKE certificate was expired! I checked SmartConsole and yep, the IKE certificate on the SmartCenter was expired!
(gateway is R77.30, mgmt R80.20; yes upgrades are scheduled, that's not the issue here)
IKE certificates are supposed to auto-renew by cpca at 75% expiry, yes? I haven't had issues with certificate auto-renewals in a very very long time, so this was a major surprise. I found another gateway certificate that will expire in 5 days, so I manually renewed it (along with the problematic gateway), then pushed policy to all gateways. I checked all other gateways and they are good into 2020 and 2021, so I have time to make any repairs if needed.
With R80.20 management, is there something new I missed or some behavior change? The ICA was still valid (through year 2030), all gateways and management system times are current and valid (sync with known good NTP servers). I checked all hosts date and time to be sure!
Management R80.20 was a migrate from R77.30, which has been working very well for 15+ years. No corruption or strange issues over time.
I haven't found any smoking-gun SK articles about this (I have seen the SHA-1/SHA-256 articles, sk103840, but that doesn't seem relevant). sk59510 does not apply because this is site-to-site VPN, not Remote Access. Manually renewing in SmartConsole was error-free, as it should be, so other SKs regarding renewal errors don't apply.
This is an odd one... anyone seen this lately, or have insight?