Description | This article describe that Certificate validation may fail after upgrading ForitGate from 6.0 version to 6.2.version. |
Scope |
FortiGate v6.0 and v6.2 |
Details |
Hub config:
# config vpn ipsec phase1-interface
Spoke Config:
# config vpn ipsec phase1-interface
# config user peer
When trying to setup the VPN, it does not come up.
Following debugs must be collected on both Spoke and Hub:
# diag debug reset # diag debug console timestamp en # diag vpn ike log-filter name xxx # diag debug application ike -1 # diag debug application fnbamd -1 # diag debug en
The debug show the following output on Spoke:
[246] fnbamd_chain_build-Chain discovery, opt 0x7, cur total 2
The certificate validation is failing because the Spoke FortiGate is not able to build up the certificate chain up to the Root CA. Only the Sub-CA was imported to the Spoke FortiGate. |
Solution | Import the Root CA also to the Spoke FortiGate to fix the issue. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.