Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1428
Views
0
Helpful
4
Replies

Remote Certificate Invalid According to Validation Procedure

byates
Level 1
Level 1

‎05-21-2019 05:23 PM

We have a Scada System that sends out email alerts when there is an alert generated in the system. This Scada System is segregated on its own Vlan with an ACL allowing SMTP traffic so it can send out the alert email. In the ACL, I specified  all the IPs from Microsoft of their smtp.office365.com, and I allowed DNS traffic so It can resolve the smtp.office365.com to one of those IPs allowed through. It works fine for about a month and then all of a sudden we get an error saying “Failed to send email message The remote certificate is invalid according to the validation procedure”. Once I take down the ACL and allow full communication, it works fine. What other traffic do I need to allow through the ACL so it can validate the certificate for Office 365, anyone else come across something like this before?

Labels:
0 Helpful
4 Replies 4

pieterh
VIP
VIP

‎05-21-2019 11:44 PM

first a remark, I guess this is the wrong community for your post, this is Cisco routing, not office

 

but here some things you can check

"I specified  all the IPs from Microsoft of their smtp.office365.com"

1) did you check for any changes?

  Microsoft specifies some ranges, but can add /remove IP's at any time! 

2) maybe the root-certificate list on the Scada system needs update?

   with outdated root/intermediate certificates the remote certificate cannot be validated.

0 Helpful

byates
Level 1
Level 1
In response to pieterh

‎05-22-2019 07:45 AM

Yea I know its not Office, I have a support request into them as well. Just hoping someone here may have gone through something similar.

Its possible it needs Root/Intermediate certificate updates but its happened twice now in back to back months. Once I open communication, all is fine. That's why I was thinking maybe something cant get through allowing it to validate.


0 Helpful

pieterh
VIP
VIP
In response to byates

‎05-22-2019 08:01 AM

check for time synchonization

0 Helpful

byates
Level 1
Level 1
In response to pieterh

‎05-22-2019 09:10 AM

I didn't think about that. They are about 2 minutes off from our production network. They aren't a part of the domain, theyre their own workgroup so they aren't talking to our time servers. Ok, I will look into what I need to do to allow them access to NTP servers
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top