Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Phase 1 Does not complete with valid certificate

I have situation in which I have multiple CA's, and each of them has signed a certificate for my gateway.

I then try to use a VPN client with two configurations. The only difference between the confgurations is the certifactes that I use for VPN establishment.

With CA one, IKE negotiations complete and the VPN is established, however IKE negotiations do not complete with CA two.

When I negotiate a VPN conection using certificates signed by CA two, the log states that the certificate is valid however I never see a message that states that PHASE 1 is complete. In fact this is the last message I see.

From IKE negotiations with CA one, the normal course of events in the log shows that the certifacte gets validated, and then a log usually shows that PHASE 1 is complete. This message never appears whith CA two.

I have compared the certifactes issued by both CA one an two, and bothe seem to have that same type of information except the obvious names of each. Both are still valid.

I have the logs turned up to include all messages.

Can anyone help me determine why Phase 1 negotiation faile to complete ?


Re: Phase 1 Does not complete with valid certificate

First thing I would check is the time on both the devices, CA two and gateway. They must be synchronized or at least close. There can be other reasons why Phase-I is failing apart from the authentication. Check if you have the policies (hashing algorithm, encryption method, DH group) configured to match, at least one, on both the ends. I think it depends on the verson of the VPN client you are using.

New Member

Re: Phase 1 Does not complete with valid certificate

I eventually found this problem. The certificate chain was unable to complete, however the message log did not show the error since I had not turned up the log settings specifically on the IKE class.

CreatePlease to create content