Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sandyzzz
New Contributor

FrotiManager - Pushing default VPN Certificate to Fortigate makes existing tunnel down

Hi All,

 

I have a ADVPN setup with certificate authentication. In firewall, we imported one local CA & root CA_1. IF any policy related changes pushed via Fortimanager to Fortigate, additionally VPN CA certificate also pushed to firewall along the policy change... so inthe firewall, we have 2 root CA's - root ca_1 & root CA_2. 

When the tunnel starts renegotiation, it takes the root CA_2 for cert authentication which caused "VPN certificate check failed " error and tunnel goes down.

 

solution: i manually deleted the root ca_@ in the firewall and tunnel came up - it works..

 

Query: i need to know what is this behavior and how to stop pushing vpn ca certificate to be pushed to firewall in fortimanager. or any other solution for this.. 

 

Sandyzzz
Sandyzzz
3 REPLIES 3
Stephen_G
Moderator
Moderator

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

Hi sandyzzz,

 

We are still trying to get an answer to your query. We'll respond shortly.

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

Hi sandyzzz,

 

Let me know if these steps help:

  1. Identify the Source of the CA Certificate: Check the FortiManager configuration to identify where the unwanted CA certificate (root ca_2) is being referenced or included in the policy package.
  2. Modify the Policy Package: Navigate to the Policy & Objects section in FortiManager.
    Review the policy package and ensure that only the desired CA certificates are included.
    Remove any references to the unwanted CA certificate (root ca_2) from the policy package.
  3. Disable Automatic CA Certificate Push:
    If FortiManager is configured to automatically push CA certificates, you may need to adjust the settings to prevent this.
    Go to the Advanced Options in the Policy & Objects section and ensure that the automatic push of CA certificates is disabled or configured correctly.
  4. Re-Issue Certificates: If necessary, re-issue the correct VPN certificates to ensure that the FortiGate uses the correct CA certificate for authentication.
  5. Test the Configuration: After making the changes, test the VPN tunnel to ensure that it uses the correct CA certificate and that the tunnel remains stable.
  6. Monitor for Future Changes: Regularly monitor the FortiManager and FortiGate configurations to ensure that no unwanted changes are made that could reintroduce the issue. By following these steps, you should be able to prevent the unwanted CA certificate from being pushed to the FortiGate and ensure stable VPN tunnel operation.
Stephen - Fortinet Community Team
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors