Create a Post
Showing results for 
Search instead for 
Did you mean: 

Moving from MPLS connection to site to site VPN - VPN goes down a day or so after disconnecting MPLS

Right now all my offices are connected by an MPLS network. I’ve established a site to site VPN and got all the tunnels up, however, during testing if I leave the MPLS disconnected for a day or so, the VPN eventually goes down. The logs show timeout errors and certificate invalid errors.

I’m wondering if it’s trying to verify the certificate across the MPLS maybe? Or if it’s verifying to a point that is only accessible over the MPLS? I guess I don’t understand what it’s doing for verification of the certificate entirely.

I did notice the Security Management Server certificate authority DN seems to reference a server from before my time that we don’t have anymore (I think maybe it was a domain controller once upon a time).

I’ve enabled the VPN debugs but don’t see anything that points out why the certificate is being rejected in the logs.

Any help is greatly appreciated.

0 Kudos
1 Reply

Yes, this is exactly what is happening.
Gateways need to be able to reach the Certificate Authority to perform CRL checks.
This is the management server (internal CA) or whatever external CA is being used.
If the CA is unavailable for 24 hours, the VPN will go down.

If your management server does not have a public IP and you are using the internal CA, you will probably need to define a static NAT in the management object for that server.

0 Kudos