Identity Collector fails to connect to a Security Gateway due to MultiPortal certificate

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk170112
Technical Level
Product	Identity Awareness
Version	R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10
OS	Gaia
Platform / Model	All
Date Created	26-Oct-2020
Last Modified	09-Nov-2022

Symptoms

"Identity collector cannot connect to Security Gateway - refer to sk113021" is shown when using the "Test" button.
Kernel Debug as per sk105723 does not show the same symptoms.
Identity Collector service debugs (sk122686) in ia_ag.log shows the following error:
[WinHttpCCC (NAC::IS::TD::Surprise)] UTILS::WinHttpCCC::asyncCallbackMethod: STATUS_REQUEST_ERROR: error 12175 (async API 5) on request (id 1 - 69728f8)
A traffic capture shows that the Server Certificate that the Security Gateway presents to the Identity Collector is already expired based on its validity range and the IDC closes the connection shortly after.

Cause

Bad / Expired certificate on the Security Gateway on one of the MultiPortal services.

To help pin-point the certificate, it can be identified based on a packet capture when the Security Gateway presents its certificate to the Identity Collector.

In the following example the certificate is expired (captured on Oct. 17 2020) and was found to be on the Captive Portal:

Solution

Note: To view this solution you need to Sign In .