11-22-2018 09:42 AM
Hello community!
Created a VPN Palo Alto - Cisco Asa with certificates for Ikev2 gateway authentication.
Cannot establish the VPN. Did a debug and get the following error when the palo alto is trying to validate the ASA´s certificate
[PERR]: RSA_verify failed: 1099255804384:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:269:
[PERR]: Invalid SIG.
[DUMP]: { 1: }: result: -1
[PERR]: { 1: }: x.x.x.x[500] - y.y.y.y[500]:0xffe400f8e0 authentication failure
[INFO]: { 1: }: x.x.x.x[500] - y.y.y.y[500]:0xffe400f8e0 authentication result: failure
[DUMP]: { 1: }: ikev2_abort(0xffe40055e0, 14)
Did anyone have the same error?
The certificate looks fine and it was working in a previous VPN ASA - ASA
Thanks in advance,
Marcos.
11-25-2018 09:21 AM
The logs you have listed are complaining about an algorithm mismatch on the cert; until you get that cleared up this will never pass IKEv2. Did you regenerate the certificates specific to this tunnel or are you trying to utilize the default ASA cert for this?
09-13-2019 02:43 AM
what exactly do you mean by algorithm mismatch on the cert? The certificates don't have to be the same. I dont really understand what you mean here.
We are facing this issue any hint would be great!
Thanks
09-13-2019 03:10 AM
Hi Tisc,
Palo Alto involved Engineering Ipsec team to work on the certificate issue, through an Engineering case : PAN-109745
But cannot find this addressed issue in any existing current relase notes.
Regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
