Re: VPN IKEV2 errors - cert validation failed

support1@lima.co.uk · ‎09-27-2022

Hi,

I am attempting to set up a site to site ikev2 tunnel and i can see the below errors, any tips how how to troubleshoot appreciated.

certificate validation failed cert date is out of range - is this related to a cert on my asa?

Rob Ingram · ‎09-27-2022

support1@lima.co.uk router or ASA or FTD?

You should ensure the clock is synchronised to an NTP server. Check the time/date "show clock" on the router and compare that against the validity date of the certificate "show crypto pki certificates" (or "show crypto ca certificates" on the ASA).

support1@lima.co.uk · ‎09-27-2022

Hi Rob,

It is ASA I will check the above and come back to you.

support1@lima.co.uk · ‎09-27-2022

I have ran the commands please see below... i have removed some sensitive info but nothing with the time

# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:

dc=DOMROOT
dc=INTERNAL
Subject Name:
cn=
ou=IT
o==
l=
c=UK
CRL Distribution Points:
[1]
Validity Date:
start date: 09:03:49 GMT/BDT Aug 16 2021
end date: 09:03:49 GMT/BDT Aug 16 2023
Storage: config
Associated Trustpoints: ASDM_TrustPoint5

Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:

dc=DOMROOT
dc=INTERNAL
Subject Name:
cn=
ou=IT
o=
l=
c=UK
CRL Distribution Points:
[1]
[2]
Validity Date:
start date: 10:46:37 GMT/BDT Apr 29 2019
end date: 10:46:37 GMT/BDT Apr 28 2021
Storage: config
Associated Trustpoints: ASDM_TrustPoint3

CA Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:

dc=Domroot
dc=Internal
Subject Name:
=
dc=DOMROOT
dc=INTERNAL
CRL Distribution Points:
[1]
[2]
Validity Date:
start date: 11:31:37 GMT/BST Nov 7 2016
end date: 11:41:37 GMT/BST Nov 7 2026
Storage: config
Associated Trustpoints: ASDM_TrustPoint2

CA Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
=
dc=Domroot
dc=Internal
Subject Name:

dc=DOMROOT
dc=INTERNAL
CRL Distribution Points:
[1]
[2]
Validity Date:
start date: 12:35:34 GMT/BST Nov 4 2016
end date: 12:45:34 GMT/BST Nov 4 2026
Storage: config
Associated Trustpoints: ASDM_TrustPoint1

CA Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: Signature
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA384 with RSA Encryption
Issuer Name:
[
dc=Domroot
dc=Internal
Subject Name:

dc=Domroot
dc=Internal
Validity Date:
start date: 10:59:36 GMT/BDT Oct 26 2016
end date: 10:09:33 GMT/BST Oct 26 2036
Storage: config
Associated Trustpoints: ASDM_TrustPoint0

Certificate
Subject Name:
Name:
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint:
Associated Trustpoint: ASDM_TrustPoint4

# show clock
20:20:55.486 GMT/BDT Tue Sep 27 2022

MHM Cisco World · ‎09-27-2022

just want to mention
the cert you share here for this Peer
other L2L peer is out of date not this peer.

support1@lima.co.uk · ‎09-27-2022

Thanks for the reply.

So from this you believe the cert on the other side of the tunnel the peer cert is out of date not mine

MHM Cisco World · ‎09-27-2022

Yes I think so