I've been dealing with an issue and I'm getting two different answers from Cisco tac, so I decided to post it here and see if anyone can help me. I have a 7206VXR (NPE-G2) with Version 12.4(11)T3, this router was crashing once in a while, then tac recommended to upgraded to 12.4-20.T1, which I did and then all my DMVPN tunnels were bouncing.
My question is that I noticed something in the error logs
%CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of rthost1.corp.mydomain.com (type 2) and certificate fqdn with rthost1xx.corp.mydomain.com
Noticed that the router host name has changed since the first time the crypto certificate was created. The host name was changed manually for whatever reason. When the 7206 is in 12.4(11)T3 version I don't see any fqdn certificate errors, but as soon as I upgraded to the 12.4-20.T1 version I see them and tunnels bounced. Question: Does it matter that the host name of the router has changed and it doesn't match what's under the crypto config? After the tunnels were working fine for a while? One Cisco eng says it doesn't, the other one says it does. What do you guys think?
This is a spoke site:
Router host name: rthost1
crypto pki trustpoint corp.mydomain.com
enrollment retry count 5
enrollment retry period 3
enrollment url http://X.X.X.X:80