Unanswered Question
Jan 30th, 2009
User Badges:

Hello all,

I've been dealing with an issue and I'm getting two different answers from Cisco tac, so I decided to post it here and see if anyone can help me. I have a 7206VXR (NPE-G2) with Version 12.4(11)T3, this router was crashing once in a while, then tac recommended to upgraded to 12.4-20.T1, which I did and then all my DMVPN tunnels were bouncing.

My question is that I noticed something in the error logs

%CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of (type 2) and certificate fqdn with

Noticed that the router host name has changed since the first time the crypto certificate was created. The host name was changed manually for whatever reason. When the 7206 is in 12.4(11)T3 version I don't see any fqdn certificate errors, but as soon as I upgraded to the 12.4-20.T1 version I see them and tunnels bounced. Question: Does it matter that the host name of the router has changed and it doesn't match what's under the crypto config? After the tunnels were working fine for a while? One Cisco eng says it doesn't, the other one says it does. What do you guys think?

This is a spoke site:

Router host name: rthost1

crypto pki trustpoint

enrollment retry count 5

enrollment retry period 3

enrollment url http://X.X.X.X:80

serial-number none


ip-address none



subject-name l=NC,c=US

revocation-check none

auto-enroll 70

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Thu, 02/05/2009 - 08:02
User Badges:
  • Silver, 250 points or more

ISAKMP entities assume an identity to inform the peer of their characteristics. The claimed identity did not match the information retrieved from the FQDN of the certificate of the peer.


This Discussion