cancel
Showing results for 
Search instead for 
Did you mean: 
SamPirok
Community Manager Community Manager
Community Manager

Summary

Default certificates in XIQ expired on June 24, 2023 which may cause VPN tunnel outages and RADIUS Authentication outages.

Background

Any VGVA or RADIUS server using default certificates may be affected.

Products Affected

VGVA and any device acting as a RADIUS server

Software Affected

N/A

Solution

Run the following commands on VGVA & XR router to check the certificate validity and ike events:

  • #show vpn ike configuration (at the bottom of the output will see certificate details (subject & validity))
  • #show vpn ike event (this CLI provides the ike event logs.)


Must renew the certificate validity to resolve this issue:

  1. From XIQ GUI>Configure>Common Objects>Certificate Management
  2. Click ADD (+) ExtremeCloud IQ CA
  3. Enter all the information (i.e. Common Name, Org Name, etc...) then Save
  4. Click ADD (+) select "Concatenate an existing certificate and private key"
  5. Fill in (HTTPS Certificate/Key Name) = VGVA (to be used in IPSec VPN Certificate Authority settings)
  • Certificate select = Default_CA.pem
  • Private key select = Default_key.pem
  • Save

6. For VPN:

  • Go to Network Policy>Branch routing>VPN service>Click on your VPN service
  • In the Optional Settings, select the certificate previously created
  • IPSec VPN Certificate Authority settings
  • VPN Certificate Authority = VGVA
  • VPN Server Authority = VGVA
  • VPN Server Cert Private Key = VGVA
  • Save

 

7. For RADIUS server:

  • Edit your RADIUS server configuration and select Security Options
  • Select the newly created Certificate in the three dropdown menus
  • Save

8. Push delta / complete update to VGVA & XR router

 

Please see the full Field Notice article here for more details and updates. 

GTM-P2G8KFN