10-28-2020 09:45 AM
hi,
i have on hub - spoke ipsec tunnel.it is stable about 1 year.But suddenly one is down.the other tunnel are no issue.There is no changed in configuration also.
when i debug the error,i got bellow message.
Error: to get local certificate and keypair from cache.
Error: Failed to get the certificate and key by certificate request.
i already check cert and ca is not expired yet.i upgrade the firmware but cannot solved.Last time before one year i got this issue and i recreate the cert and installed.After that issue is fixed.But i don't know the root cause.let me know how to trouble
shoot?
Solved! Go to Solution.
10-29-2020 10:04 AM
Using NTP and having the time/date synched up on all the involved devices is essential, however, setting the time/date manually can also be a last resort option. Interesting that even after you synched up the time the tunnel did not come up. Because of this, I don't believe the issue was related to that skew in this case. To be able to dig deeper into this, I would need some debugs while you were trying to enable the tunnel to try to spot any potential root cause, but I think now it is too late as you regenerated the new certs and the tunnel is up.
10-28-2020 10:16 AM
we need more information cert and config to look.
or here some steps to diagnosis.
10-28-2020 10:37 AM
10-28-2020 10:59 AM - edited 10-28-2020 11:00 AM
How the time/date look like on the devices?
10-28-2020 04:34 PM
hi,
date time is same.
10-29-2020 12:14 AM
Hi @balaji.bandi @Aref Alsouqi ,
Sorry my fault. time is different. different 30 minute with router time. But i change manually the time to same like hub router, tunnel is still down. So i create new cert and installed.I point cert map to new cert. After that tunnel is up.
After the tunnel is up . I check the ntp server .The npt server is not working both of hub and spoke. I already fixed ntp service also.
So let me know my issue may related with ntp issue ?
if it is yes,let me know how to related ? if it is ntp issue ,can i fix manually change the time ?
10-29-2020 10:04 AM
Using NTP and having the time/date synched up on all the involved devices is essential, however, setting the time/date manually can also be a last resort option. Interesting that even after you synched up the time the tunnel did not come up. Because of this, I don't believe the issue was related to that skew in this case. To be able to dig deeper into this, I would need some debugs while you were trying to enable the tunnel to try to spot any potential root cause, but I think now it is too late as you regenerated the new certs and the tunnel is up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide