Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
live89
Contributor

SCEP certificate enrollment failed | VDOM

Has anyone faced issue with SCEP in FGT VDOM mode ?

 

I have two environments where I use SCEP

one environment has fortigate and fortiauthenticator , while the fortigate is not in vdom mode . And I use there SCEP for auto certificate enrollment and its working fine

 

another environment I have is where Fortigate is configured with multiple vdoms and in one vdom I'm trying to use SCEP along with fortiauthenticator and it is not working when I'm trying to use the internal IP of the fortiauthenticator as the SCEP server. But when I switch to the public IP of the fortiauthenticator it is working just fine ...

 

In 'config vpn certificate local" I tried to change this setting "set source-ip 0.0.0.0" to "set source-ip <lan interface ip addr>" , but got this error message:

node_check_object fail! for source-ip 172.26.137.33

 

how can solve this problem??

Thanks

Thanks
3 REPLIES 3
AntonioMartins
New Contributor

Hi,

Same problem here...

Did you figure out how to solve it?

Thanks

AM

Antonio Martins
Antonio Martins
Debbie_FTNT

Hey Antonio,

If you have the exact same issue as live89 (FortiAuthenticator doesn't renew certificates if the request comes in on an internal interface, but DOES if the request comes via its public interface) that sounds as if SCEP is not enabled on the particular FortiAuthenticator interface; I would suggest checking the interface details and seeing what services are enabled.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Richie_C
Staff
Staff

Hi 

 

I know that this is a bit late, but I have been building a multi-VDOM SCEP lab and found a few bits that maybe useful. With limited info about the setup I have made the following observations which may help.

 

  • The VDOM must be able to resolve the DNS if you are using a FAQDN for the scep request
  • The VDOM in question must be able to route to the FAC
  • you could route to the SCEP server via the management/root VDOM if you create an inter-vdom link and resolve the routing accordingly

Thanks

Rich

Take a backup before making any changes
Labels
Top Kudoed Authors