IPSec VPN with cert authentication: RSA_verify failed

Showing results for 
Search instead for 
Did you mean: 

IPSec VPN with cert authentication: RSA_verify failed

L3 Networker

Hello community!


Created a VPN Palo Alto - Cisco Asa with certificates for Ikev2 gateway authentication.


Cannot establish the VPN. Did a debug and get the following error when the palo alto is trying to validate the ASA´s certificate


[PERR]: RSA_verify failed: 1099255804384:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:269:
[PERR]: Invalid SIG.
[DUMP]: { 1: }: result: -1
[PERR]: { 1: }: x.x.x.x[500] - y.y.y.y[500]:0xffe400f8e0 authentication failure
[INFO]: { 1: }: x.x.x.x[500] - y.y.y.y[500]:0xffe400f8e0 authentication result: failure
[DUMP]: { 1: }: ikev2_abort(0xffe40055e0, 14)


Did anyone have the same error? 

The certificate looks fine and it was working in a previous VPN ASA - ASA



Thanks in advance,



Cyber Elite
Cyber Elite


The logs you have listed are complaining about an algorithm mismatch on the cert; until you get that cleared up this will never pass IKEv2. Did you regenerate the certificates specific to this tunnel or are you trying to utilize the default ASA cert for this? 



what exactly do you mean by algorithm mismatch on the cert? The certificates don't have to be the same. I dont really understand what you mean here.

We are facing this issue any hint would be great!



Hi Tisc,


Palo Alto involved Engineering Ipsec team to work on the certificate issue, through an Engineering case : PAN-109745

But cannot find this addressed issue in any existing current relase notes.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!