Hello, This is my first post here as I am a new customer of PaloAlto, but not new to networking. I have extensive Cisco background. We are having an odd problem when trying to create an IKEv1 s2s tunnel between a remote PA220 and Cisco ASA 5525X headend. The PA outside interface has a dynamic address. We have worked on this issue for days now and even opened a case with PA Support. We are getting this error on the PA side: IKE phase-1 negotiation is failed. Peer certificate chain building failed due to unable to get local issuer certificate In the logs obtained in the CLI, we are seeing this information: 2020-04-23 09:28:06.066 -0400 [PERR]: Trusted CA not found for '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' because of subject issuer mismatch. 2020-04-23 09:28:06.066 -0400 [PERR]: Peer certificate chain building failed due to unable to get local issuer certificate. I have verified that the certificate chain for the public cert being used on the Cisco ASA headend is intact and complete. Any ideas??? We have scoured the internet for solution/clues on both sides, Cisco and PA, to no avail. Thanks in advance. John
... View more