The responder likes this cert and authenticates the peer...then sends its cert back (signed by CA_group_doe) to the initiator. At this point it looks as though the initiator does not like the cert received and wants to go back to a key exchange, thus the MM_KEY_EXCH retransmits in the debugs.
So....what happens during the 5th and 6th messages of an RSA IKE P1 negotiation (messages 1 through 4 are the same regardless of PSK or RSA auth)? The 5th message should be the initiator sending authentication material and ID - i.e. its Signature, a Certificate payload, and an Identity payload (such as hostname or IP). The 6th message should be the responder sending roughly the same packet back to the initiator with the Signature, Cert payload, and ID payload fields updated.
So, based on that, it appears that the initiator does not like one of the three things above. The signature is invalid, the certificate payload is incorrect, or it does not like the identity listed of the peer.
I'm sure you've already done this, but I'll reiterate just in case...
1. Verify the CA cert is valid on both peers.
2. Verify that the OU and O fields of the peer certs are identical on both sides
3. Try removing the following, "crypto isakmp identity hostname" on both peers. This typically only helps when each side needs a distinguishing characteristic to determine what ISAKMP profile to match the peer to (at least in my understanding). Useful for PSKs, but I don't think you'll need it for RSA Sigs.
4. You might try changing the following, "rsakeypair group_rsa_key" under your trustpoint config to "rsakeypair group CA_group_doe" to reference what keychain to use. By default, I believe the router will use the FQDN certificate - which may be why the router is still functioning partly.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :