Hi All,
I have a ADVPN setup with certificate authentication. In firewall, we imported one local CA & root CA_1. IF any policy related changes pushed via Fortimanager to Fortigate, additionally VPN CA certificate also pushed to firewall along the policy change... so inthe firewall, we have 2 root CA's - root ca_1 & root CA_2.
When the tunnel starts renegotiation, it takes the root CA_2 for cert authentication which caused "VPN certificate check failed " error and tunnel goes down.
solution: i manually deleted the root ca_@ in the firewall and tunnel came up - it works..
Query: i need to know what is this behavior and how to stop pushing vpn ca certificate to be pushed to firewall in fortimanager. or any other solution for this.. 
 
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi sandyzzz,
We are still trying to get an answer to your query. We'll respond shortly.
Hi sandyzzz,
Let me know if these steps help:
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2648 | |
| 1405 | |
| 810 | |
| 690 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.