Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
5
Replies

DMVPN w/certificates - problems during re-keying

m.coakley
Level 1
Level 1

‎09-21-2005 04:42 AM - edited ‎03-09-2019 12:29 PM

I have setup a DMVPN hub that is using another router as its certificate server. (This document is the basic setup of the VPN headend and certificate server: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080215686.shtml)

I'm using certificate mapping to get to my ISAKMP/IPSEC profiles and placing the each VPN (multiple customers) into their own VRF instance. Everything works fine and the tunnels are established properly using the certificates. The problems comes up when the tunnels re-key after 86400 seconds, the tunnels are dropped and cannot be re-established. If I manually go into the router and go into configuration mode and issue the "cryto ca certificate validate <trustpoint>" command the certificates are re-validated and the VPN tunnels re-establish.

Anyone have any ideas?

Thanks,

Mike

Labels:
0 Helpful
5 Replies 5

smahbub
Level 6
Level 6

‎09-27-2005 06:51 AM

Check for any misconfigurations that is causing the IKE packet drops.

0 Helpful

m.coakley
Level 1
Level 1
In response to smahbub

‎09-27-2005 09:06 AM

I do not believe IKE is the issue. The failure occurs when the session is trying to validate the certificate against the local CA server. If I manually issue the "crypto ca certificate validate " command on the VPN head-end the session will work. Since I first posted the question I have setup a CRON job on a system that uses the CISCOCMD program to issue that command every 6 hours. Since I have started this my VPN sessions stay connected as expected. I would like them to stay connected without having to issue this command from a CRON job though.

Thanks,

Mike

0 Helpful

mnlatif
Level 3
Level 3
In response to m.coakley

‎10-03-2005 08:59 AM

Have you tried debugging the ISAKMP negotiation ? That would point you to the actual failure reason E.g. CRL check failing etc

I think the IKE re-negotiation occurs around 30 minutes before the expirey, so if you setup

debug crypto isakmp

debug crypto pki server (on the CA router)

debug crypto pki messages

debug crypto pki transactions

You should be able to get a reason for the failure.

\\ Naman

0 Helpful

m.coakley
Level 1
Level 1
In response to mnlatif

‎10-03-2005 11:31 AM

I have actually debugged the re-negotiation. It appears to me that the CRL check is failing. At this point since it is a new IOS CA server installation I do not have any revoked certificates so this may be the culprit. I will have to research this issue more.

Thanks,

Mike

0 Helpful

mnlatif
Level 3
Level 3
In response to m.coakley

‎10-04-2005 11:12 AM

Having no revoked certificates does not mean that you won't have a CRL. A CRL will still exist with no revoked certficates numbers.

Where is the CRL distribution Point (As specified in the Certificate) ?

Is that reachable by the Router (Who is failing the CRL check) ?

If you have hosted the CRL on the IOS router, then is it allowing the incoming packets ?

If the CRL distribution point is not reachable by the router, then you can manually define a CRL location E.g. on your DMZ Server etc. You will obviously have to copy the CRL to the DMZ server regularly though.

\\ Naman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents