This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Ryan_Ryan
Specialist
‎2018-08-15 12:06 AM

Corrupted Internal CA?

Hello, when I run this command on SmartManager "fwm printcert -ca internal_ca I get no response back, I believe its to do with the Internal CA missing or something similar.

Its causing issues when trying to enable VPN blade on all our gateways, when trying to generate a cert I get a message back "Failed to get the CA server's certificate"

Any ideas how i can confirm this is the issue and how to fix it?

Reply
11 Replies
Peter_Sandkuijl
Employee
Employee
‎2018-08-15 12:44 AM

Check out this SK for more options: How to determine an SIC Certificate's expiration date 

Alternatively enable the webui for ICA and check that way.

Good luck

Peter !!

0 Kudos
Reply
_Val_
Admin
Admin
‎2018-08-15 06:11 AM

Before anything else, please run the following on your management server:

cpwd_admin list

and make sure your cpd process is up and running

0 Kudos
Reply
Ryan_Ryan
Specialist
‎2018-08-15 05:51 PM
In response to _Val_

Interesting, I am not seeing it:

CPVIEWD
CPD
FWD
FWM
STPR
SVR
CPSEAD
CPWMD
CPHTTPD
SMARTLOG_SERVER
DASERVICE
CPSM

Just did a cpstart and its still not showing either. 

0 Kudos
Reply
_Val_
Admin
Admin
‎2018-08-15 11:44 PM
In response to Ryan_Ryan

Sorry, a typo, should be cpd. Are you still experiencing the issue after cpstop | cpstart?

0 Kudos
Reply
Ryan_Ryan
Specialist
‎2018-08-16 05:50 PM

Hello,

No change after stop start, still same error, anything to do with the internal CA seems to fail, also installed latest hotfix to see if it would help but no difference.

If I run this command:

cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"

There is a cert that expires in 2021, the o= matches the name of the manager. So so far this all seems ok.. 

0 Kudos
Reply
_Val_
Admin
Admin
‎2018-08-16 10:48 PM
In response to Ryan_Ryan

Please open a support request with TAC, thank you

0 Kudos
Reply
Ryan_Ryan
Specialist
‎2018-08-16 10:50 PM

After a lot of reading, it seems the only option for me is to follow sk108966.

My Default VPN cert is showing as expired 4 years ago, (cpca_client lscert -kind IKE) and I am not able to renew it.

Can anyone give me some real life experience of what resetting the SIC will actually do? Will the firewalls stop passing traffic as soon as I hit that command on the management server? We have firewalls in a cluster can I do this as a hit less procedure?

0 Kudos
Reply
_Val_
Admin
Admin
‎2018-08-16 10:55 PM
In response to Ryan_Ryan

Once more, please open a support request. TAC engineer will help you in fixing the issue. The issue may not be related to certificate specifically. It need proper troubleshooting and action plan for resolution. 

Following the standard support procedures is the best and fastest way.

0 Kudos
Reply
Peter_Sandkuijl
Employee
Employee
‎2018-08-17 12:17 AM
In response to Ryan_Ryan

IKE is a different certificate from SIC. Resetting SIC will not resolve IKE certificate issues. Please follow Valeri's recommendation and let support have a look. This does not look anything like a configuration error.

BR

Peter !!

Reply
Ryan_Ryan
Specialist
‎2018-08-19 04:05 PM

Hello TAC have confirmed to reset the SIC on the manager to fix the issue.

I am still not entirely sure what is the impact of doing this, doing it to a cluster can I avoid any outage?

0 Kudos
Reply
_Val_
Admin
Admin
‎2018-08-19 11:03 PM
In response to Ryan_Ryan

If you are doing correctly and gradually, impact should be minimal. Ask support to assist you if any doubt. 

0 Kudos
Reply