04-23-2020 06:45 AM
This is my first post here as I am a new customer of PaloAlto, but not new to networking. I have extensive Cisco background.
We are having an odd problem when trying to create an IKEv1 s2s tunnel between a remote PA220 and Cisco ASA 5525X headend. The PA outside interface has a dynamic address.
We have worked on this issue for days now and even opened a case with PA Support.
We are getting this error on the PA side:
IKE phase-1 negotiation is failed. Peer certificate chain building failed due to unable to get local issuer certificate
In the logs obtained in the CLI, we are seeing this information:
2020-04-23 09:28:06.066 -0400 [PERR]: Trusted CA not found for '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' because of subject issuer mismatch.
2020-04-23 09:28:06.066 -0400 [PERR]: Peer certificate chain building failed due to unable to get local issuer certificate.
I have verified that the certificate chain for the public cert being used on the Cisco ASA headend is intact and complete.
Any ideas??? We have scoured the internet for solution/clues on both sides, Cisco and PA, to no avail.
Thanks in advance.