Summary
Default certificates in XIQ expired on June 24, 2023 which may cause VPN tunnel outages and RADIUS Authentication outages.
Background
Any VGVA or RADIUS server using default certificates may be affected.
Products Affected
VGVA and any device acting as a RADIUS server
Software Affected
N/A
Solution
Run the following commands on VGVA & XR router to check the certificate validity and ike events:
- #show vpn ike configuration (at the bottom of the output will see certificate details (subject & validity))
- #show vpn ike event (this CLI provides the ike event logs.)
Must renew the certificate validity to resolve this issue:
- From XIQ GUI>Configure>Common Objects>Certificate Management
- Click ADD (+) ExtremeCloud IQ CA
- Enter all the information (i.e. Common Name, Org Name, etc...) then Save
- Click ADD (+) select "Concatenate an existing certificate and private key"
- Fill in (HTTPS Certificate/Key Name) = VGVA (to be used in IPSec VPN Certificate Authority settings)
- Certificate select = Default_CA.pem
- Private key select = Default_key.pem
- Save
6. For VPN:
- Go to Network Policy>Branch routing>VPN service>Click on your VPN service
- In the Optional Settings, select the certificate previously created
- IPSec VPN Certificate Authority settings
- VPN Certificate Authority = VGVA
- VPN Server Authority = VGVA
- VPN Server Cert Private Key = VGVA
- Save
7. For RADIUS server:
- Edit your RADIUS server configuration and select Security Options
- Select the newly created Certificate in the three dropdown menus
- Save
8. Push delta / complete update to VGVA & XR router
Please see the full Field Notice article here for more details and updates.