- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-23-2020 06:45 AM
Hello,
This is my first post here as I am a new customer of PaloAlto, but not new to networking. I have extensive Cisco background.
We are having an odd problem when trying to create an IKEv1 s2s tunnel between a remote PA220 and Cisco ASA 5525X headend. The PA outside interface has a dynamic address.
We have worked on this issue for days now and even opened a case with PA Support.
We are getting this error on the PA side:
IKE phase-1 negotiation is failed. Peer certificate chain building failed due to unable to get local issuer certificate
In the logs obtained in the CLI, we are seeing this information:
2020-04-23 09:28:06.066 -0400 [PERR]: Trusted CA not found for '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' because of subject issuer mismatch.
2020-04-23 09:28:06.066 -0400 [PERR]: Peer certificate chain building failed due to unable to get local issuer certificate.
I have verified that the certificate chain for the public cert being used on the Cisco ASA headend is intact and complete.
Any ideas??? We have scoured the internet for solution/clues on both sides, Cisco and PA, to no avail.
Thanks in advance.
John
04-23-2020 12:26 PM
John,
I'm in a similar position. I will be following this thread closely. Thanks for posting.
09-06-2021 12:10 PM
Did you ever find the answer to this issue? Typically the error "unable to get local issuer certificate" means that the CA used to issue your peer certificate is not in your certificate profile (configured under your IKE Gateway). The certificate profile must contain the entire CA certificate chain regardless of what is in the Default Trusted Certificate Authorities.
07-31-2023 02:20 PM
Hello,
I'm in similar situation, but mine is more weird. I have PA820 at HQ and two PA410 at remote offices. Both PA410 have almost identical configuration (only IP addresses are different). I'm trying to build IPSec tunnels from HQ to remote offices. One of them works as expected. The other gives me the error in the topic of this thread. The weird thing is that the same CA (internally generated at PA820) issued certificates to both remote offices, but only one of them works while the other doesn't. I checked hundred times and I'm sure the configuration is identical, the "local issuer certificate" is the same for both IKE gateways. I can't understand how is it possible that one remote site works without problems while the other fails to get that local issuer certificate ?!?
08-01-2023 06:35 AM
Hi @GeorgeAPH ,
Is your PAN-OS the same on both NGFWs? I ran into this error with a certificate profile for an EDL. An upgrade to 10.2.4 fixed the issue. It turned out to be a bug in the code.
Thanks,
Tom
08-01-2023 06:53 AM
Hi, @TomYoung,
Yes, both my satellite firewalls (working and non-working) are one and the same 11.x.x version.
The hub however is on 10.x.x. Thanks for the suggestion, I'll try to see what an upgrade would do for me.
03-19-2024 07:45 AM
Hi TomYoung,
I have a customer facing same issue with EDL certificate, I saw you post here as well
The customer is not willing to upgrade without knowing the bug ID, do you have it?
Thank you in advance.
Best regards
Angelo Oghittu
03-19-2024 09:03 AM
Hi @AngeloOghittu ,
TAC would not give me a bug ID. I would send the customer this link -> and encourage they upgrade to the recommended version.
Thanks,
Tom
03-20-2024 07:40 AM
Hi @TomYoung ,
thank you for your reply. The problem is that the customer is not willing to upgrade to the recommended version due to another bug and
because need to know the issue ID.
I think I should contact the TAC at this point.
Br
Angelo
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!