Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1575
Views
0
Helpful
2
Replies

DMVPN - Certificates don't auto-renew

plemieux72
Level 1
Level 1

‎12-10-2007 01:39 PM - last edited on ‎03-25-2019 05:11 PM by Community Manager

Hi,

I have a DMVPN with RSA certs (and an internal IOS CA Server on a router) that have been up for many months, however, recently, the spoke certs have started expiring. Since auto-renew is enabled, I granted the "pending" certs on the CA server but the spokes never were able to obatin their new certs even though the VPN tunnels were still up. Eventually, I ran out of time for troubleshooting and all tunnels expired and were torn down due to IKE failures because of expired certs.

Any idea why granting the certs didn't have any effect?

Thanks

Labels:
0 Helpful
2 Replies 2

tstanik
Level 5
Level 5

‎12-17-2007 01:21 PM

Some certificate authorities require you to generate a new key pair to renew a certificate, while other certificate authorities allow you to use the key pair of the expiring certificate to renew a certificate. Also note that some CA server requires new key being generated when renewing a certificate.

0 Helpful

plemieux72
Level 1
Level 1
In response to tstanik

‎12-17-2007 01:45 PM

For an IOS CA Server running 12.4(11)T3/ADV SECURITY... what would I need to check to verify this is the case? I followed the SRND and never saw anything related to rekeying.

Also, wouldn't a rekey on a remote client be disruptive? I mean, if it's seamless and the tunnels stay up... I am fine with it. However, otherwise, I'd have to find alternatives.

Thanks very much for your response!

0 Helpful
Customers Also Viewed These Support Documents