cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
323
Views
10
Helpful
6
Replies

VPN IKEV2 errors - cert validation failed

Hi,

I am attempting to set up a site to site ikev2 tunnel and i can see the below errors, any tips how how to troubleshoot appreciated.

certificate validation failed cert date is out of range - is this related to a cert on my asa?

6 Replies 6

Rob Ingram
VIP Expert VIP Expert
VIP Expert

support1@lima.co.uk router or ASA or FTD?

You should ensure the clock is synchronised to an NTP server. Check the time/date "show clock" on the router and compare that against the validity date of the certificate "show crypto pki certificates" (or "show crypto ca certificates" on the ASA).

Hi Rob,

It is ASA I will check the above and come back to you.

I have ran the commands please see below... i have removed some sensitive info but nothing with the time 

 

# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:

dc=DOMROOT
dc=INTERNAL
Subject Name:
cn=
ou=IT
o==
l=
c=UK
CRL Distribution Points:
[1]
Validity Date:
start date: 09:03:49 GMT/BDT Aug 16 2021
end date: 09:03:49 GMT/BDT Aug 16 2023
Storage: config
Associated Trustpoints: ASDM_TrustPoint5

Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:

dc=DOMROOT
dc=INTERNAL
Subject Name:
cn=
ou=IT
o=
l=
c=UK
CRL Distribution Points:
[1]
[2]
Validity Date:
start date: 10:46:37 GMT/BDT Apr 29 2019
end date: 10:46:37 GMT/BDT Apr 28 2021
Storage: config
Associated Trustpoints: ASDM_TrustPoint3

CA Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:

dc=Domroot
dc=Internal
Subject Name:
=
dc=DOMROOT
dc=INTERNAL
CRL Distribution Points:
[1]
[2]
Validity Date:
start date: 11:31:37 GMT/BST Nov 7 2016
end date: 11:41:37 GMT/BST Nov 7 2026
Storage: config
Associated Trustpoints: ASDM_TrustPoint2

CA Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
=
dc=Domroot
dc=Internal
Subject Name:

dc=DOMROOT
dc=INTERNAL
CRL Distribution Points:
[1]
[2]
Validity Date:
start date: 12:35:34 GMT/BST Nov 4 2016
end date: 12:45:34 GMT/BST Nov 4 2026
Storage: config
Associated Trustpoints: ASDM_TrustPoint1

CA Certificate
Status: Available
Certificate Serial Number:
Certificate Usage: Signature
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA384 with RSA Encryption
Issuer Name:
[
dc=Domroot
dc=Internal
Subject Name:

dc=Domroot
dc=Internal
Validity Date:
start date: 10:59:36 GMT/BDT Oct 26 2016
end date: 10:09:33 GMT/BST Oct 26 2036
Storage: config
Associated Trustpoints: ASDM_TrustPoint0


Certificate
Subject Name:
Name:
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint:
Associated Trustpoint: ASDM_TrustPoint4

# show clock
20:20:55.486 GMT/BDT Tue Sep 27 2022

 

just want to mention 
the cert you share here for this Peer 
other L2L peer is out of date not this peer. 

Thanks for the reply.

So from this you believe the cert on the other side of the tunnel the peer cert is out of date not mine

Yes I think so 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers