IKE: Phase 1 received Notification from Peer: invalid certificate

[LoJACK]

Hello everyone,

Does anyone where what is causing this error?

IKE: Phase 1 Received Notification from Peer: invalid certificate

My VPN was working fine but out of nowhere I started getting this error when I'm trying to use the VPN.

I'm running NG AI R55 with win2003 server for the manager.

The funny thing is that I'm only getting this error from only one of my firewall, the rest of my VPN connections with my other sites are fine.

thanx in advanced,
LoJACK

 

[sds222]

You may want to verify the correct date and time on the boxes involved in the vpn.

 

[LoJACK]

I have check the date and time on the box at the remote site and it is the same date and time as the FW manager and local gateway.



Thanks,
LoJACK

 

[ChrisAC]

Has the gateways VPN certificate been issued by the correct management server? Check the details in the certificate to make sure that they match.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[LoJACK]

yup.. I check the Internal CA for the gateway and the management server and they match... but what I'm going to do is try to remove the CA and then re-install it again.




Thanks,
LoJACK

 

[LoJACK]

I'm getting this error when I try to remove the internal ca:

"This certificate is used in IKE authentication. Prior to deleting this certificate, define an alternative certificate, or remove the 'public key signature' authentication method."



Thanks,
LoJACK

 

[ChrisAC]

You have to remove the object from any VPN rules before you can delete the CA.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[LoJACK]

I have remove the object from all of the VPN community it was in but I was still getting the same error message.



Thanks,
LoJACK

 

[ChrisAC]

Try removing the object completely and re-creating it. This will generate a new certificate.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[LoJACK]

If I remove the object completely then I will have to re-establish the SIC when I re-create the object correct? This might be a problem because I don't really have another IT person at my remote location. but maybe I can walk someone through the process of resetting the SIC.

I will give it a try, thanx for all of your help so far. And I will let you know if it worked or not.




Thanks,
LoJACK

 

[tonyktone]

Hey LoJACK,

Were you ever able to resolve this problem...I'm also having the same issue in regard to invalid certificate.

I get the SIC and able to push out the policy...But I keep
getting the invalid certificate error.

 

[Lm0]

I'm having the same error.
My firewall is an new installation with an separete management server and firewall.

I can get the CRL using the url provided in the vpnd.elg file. So thsi seems to work.

I also get the error ( in the debug file) http timeout. Can this have something to do with the CRL check?

What did you do to solve the issue???