Another quick thought would be a Panorama running a newer version and using features that are not supported on the firewall you're pushing it to.
... View more
How were the object created initially? The way you're explaining it sounds to me like an import gone wrong where the firewall/Panorama did load the Object but something is "off" with the way it's in the running XML.
... View more
Did it all of a sudden stop working or is this a new implementation or upgrade? One thing to look for is that on the local firewall Panorama is allowed to push Objects: As you're stating a blank push of a firewall policy without objects is working I believe this is enabled. Make sure the Object or Object-Group you're trying to push out isn't bound to a certain firewall but is in the "Shared" object space or Object specifically for that FW. If the item is a group containing more IP's, FQDN's or Objects it never hurts to check if the actually sub-objects for errors.
... View more
Taking the original error and picking it piece by piece. Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName. It would seem that their side does have their Local ID Field and IP Field are filled with an IP address however the certificate they use doesn't seem to have a SAN at all, or a matching IP address SAN on the certificate. Looking at the last bit my guestimate would be the second case. Next step would be to verify if this is actually the case by either having them check the config or make a PCAP of the initial exchange to capture the certificate info (Depending on the Ike version and mode of connection (Main/aggressive)).
... View more
Are you seeing the "Unable to fetch external dynamic list. Couldn't connect to server. Using old copy for refresh." only on the passive device, and does the MGMT IP of the passive device have connectivity to your Minemeld URL? As you're stating that manually forcing an update I'm assuming that it does, however I might be interpreting your scenario sketch wrongly. What we've seen with some of our customers is that the error "Unable to fetch external dynamic list. Couldn't connect to server. Using old copy for refresh." at times is shown on the active device when there are no new or removed IP addresses on the EDL instead of a "Succesfully connected, no changes to the list were detected, using old copy" message. With a manual refresh you force out the old EDL information and it would be expected to see that it updated successfully. Could be a simple issue of wrong error code shown but still might be worth making a case with TAC to confirm this is the case.
... View more
That would mean the Peer firewall is sending it's IP address as Local Identifier, however the question is if this is also defined on the certificate the Peer is using as that needs to match aswell. So the Peers Certificate would need a SAN Attribute "IP Address" with it's IP.
... View more
Gotcha, just to clarify did you also designate SAN attributes for your firewall cert and for the cert the other firewall is using? Like: The additional attributes are SAN items which seem related to the error where no additional attributes were found. It would end up local something similar to the below screenshot if he other side has a certificate with Email Otherunit@local.local. Lastly the intermediate and/or root need to be marked in the certificate store as trusted CA's
... View more
Are you sure you've imported the peers certificate, or signer of the certificate, in the local firewall and added a certificate profile containing this certificate which applies on the VPN? The Peer Identification, local and peer, needs to match on both sides (Reverse local/Remote) and the Cert Profile, if containing the cert marked as trusted, should set up the Phase 1 connection.
... View more
If you can generate a new certificate it would defiantly be worth generating a new one containing additional SAN entries. I'd suggest tagging on the SANs Hostname, FQDN and IP address and check if you can get the firewall to recognize these attributes as the Peer Identification.
... View more
The error seems to suggest that either A. The other side is sending a local identification that does not match any SAN that is present on the certificate or B. Does not contain a SAN attribute on the certificate at all. Are both sides under your control, where you're able to generate a new certificate if need be or inspect the current attributes of the certificate it's using? Also make sure the Certificate Profile on the VPN contains the Intermediate, Root or Self Signed certificate and is marked as a Trusted certificate in the local device store.
... View more
If your security policy is set to have any source IP it would mean that access would not be limited to the ms-office365 application. Once you add the explicit required apps to the rule they are seen as separate entities and one would for instance be able to web-browse to your internal server without any intention of the ms-office365 application..
... View more