ikev2 mobile VPN stopped working - certificate expired on live logs

Yugal_RYugal_R
in Firebox - VPN Mobile User

Hello ,

ikev2 mobile VPN randomly stopped working for all users .
When attempting to connect, im getting the below live logs:

2025-01-11 11:30:32iked(192.168.100.101<->102.x.x.x)CMgrFormCertChain: the specified certificate(id=29200) is not valid, reason:<6_981>:certificate expired
2025-01-11 11:30:32iked(192.168.100.101<->102.x.x.x)CMgrFormCertChain: Certificate chain forming failure because there is no matching certificate
2025-01-11 11:30:32iked(192.168.100.101<->102.x.x.x)IkeGetCertChainByCertID: Form Cert Chain failed
2025-01-11 11:30:32iked(192.168.100.101<->102.x.x.x)ike2 Construct CERT Payload : Form Cert Chain failed
2025-01-11 11:30:52iked(192.168.100.101<->102.x.x.x)ike_user_free: invalid arguments User:0xd77ca90 IKE policy:0xd769c38

Below are the firebox certificates:

Can someone please suggest what's the issue ?

Regards,
Yugal

Best Answers

  • Bruce_BriggsBruce_Briggs
    Answer ✓

    Yes you should open a support case on this.

  • Yugal_RYugal_R
    edited January 20 Answer ✓

    UPDATE:

    Following case with support team,
    we found that an ike2 certificate was not being renewed on the firebox
    by doing "show certificates" on CLI :

    -- Total 1 Expired Certificate(s)

    Id Name Purpose Algorithm Key Length Subject
    29200 RSA 2048 o=WatchGuard ou=Fireware cn=ike2muvpn Server

    the following command help to resolve the issue :

    diagnose vpn "/ike/restart"

    the cert was renewed and ikev2 VPN started working again without re-deploying new vpn clients :smiley:

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Yugal_R
    Can you please check the cert that is installed onto the client PC(s.) If that has expired the firewall may regenerate a certificate to keep it current, but the only way to distribute it to your workstations would be via the ikev2 profile.

    Try downloading a new IKEv2 profile, and installing it on one of your PCs. Do you see the same issue happening?

    -James Carson
    WatchGuard Customer Support

  • Yugal_RYugal_R

    Hello @james.carson ,

    I removed and downloaded and installed a new config file and place the rootca cert in the Trusted Root Certificate Authorities.

    still the same error on the logs.

    Maybe i should raise a ticket to support team

    Kind regards,

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Yugal_R I would suggest opening a support case.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.