Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with CA certificate request !!

Hi Cisco Comrades,

In a Lab envirement I?am trying to set up router to touter vpn connection with CA authentication.

1 st problem:

When enrolling with CA (server 2003 CA) both router received requested certificates but with a log that the certificate enrollment request was rejected and the ca management console doesn't show any info about neither "issued certificates' nor "failed requests"

Here is the output:

*****

R3(ca-trustpoint)#cry ca auth myca

Certificate has the following attributes:

Fingerprint: 7621D1D8 B8C7FA81 D08DDAE7 DBE22779

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

R3(config)#cry ca enroll myca

...

% The 'show crypto ca certificate' command will also show the fingerprint.

R3(config)#

Signing Certificate Reqeust Fingerprint:

DC477448 9DB46518 587E1142 FC086987

Encryption Certificate Request Fingerprint:

25EEE021 1F4A359F 89C9D650 F04651D2

Jun 23 13:56:00.947: %CRYPTO-6-CERTREJECT: Certificate enrollment request was re

jected by Certificate Authority

Jun 23 13:56:12.550: %CRYPTO-6-CERTREJECT: Certificate enrollment request was re

jected by Certificate Authority

*****

And the command ? sh cry key pub rsa ? on both routers shows me the requested certificate from my CA.

2nd problem (i guess the result of the first): failed phaseI authentication:

*****

Jun 23 15:06:12.676: ISAKMP: received ke message (1/1)

Jun 23 15:06:12.680: ISAKMP (0:0): SA request profile is (NULL)

Jun 23 15:06:12.680: ISAKMP: local port 500, remote port 500

Jun 23 15:06:12.680: ISAKMP: set new node 0 to QM_IDLE

Jun 23 15:06:12.680: ISAKMP: Find a dup sa in the avl tree during calling isadb_

insert sa = 820DF85C

Jun 23 15:06:12.684: ISAKMP (0:2): Can not start Aggressive mode, trying Main mo

de.

Jun 23 15:06:12.684: ISAKMP: Looking for a matching key for 100.0.0.101 in defau

lt

Jun 23 15:06:12.684: ISAKMP (0:2): No pre-shared key with 100.0.0.101!

Jun 23 15:06:12.684: ISAKMP (0:2): constructed NAT-T vendor-03 ID

Jun 23 15:06:12.684: ISAKMP (0:2): constructed NAT-T vendor-02 ID

Jun 23 15:06:12.684: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Jun 23 15:06:12.688: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1

Jun 23 15:06:12.688: ISAKMP (0:2): beginning Main Mode exchange

Jun 23 15:06:12.688: ISAKMP (0:2): sending packet to 100.0.0.101 my_port 500 pee

r_port 500 (I) MM_NO_STATE

Jun 23 15:06:12.748: ISAKMP (0:2): received packet from 100.0.0.101 dport 500 sp

ort 500 Global (I) MM_NO_STATE

Jun 23 15:06:12.748: ISAKMP (0:2): Notify has no hash. Rejected.

Jun 23 15:06:12.748: ISAKMP (0:2): Unknown Input: state = IKE_I_MM1, major, mino

r = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Jun 23 15:06:12.752: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mo

de failed with peer at 100.0.0.101 ..

Jun 23 15:06:15.320: ISAKMP (0:1): purging node 860992987

Jun 23 15:06:15.320: ISAKMP (0:1): purging node 1111530323...

Success rate is 0 percent (0/5)

R3#

Jun 23 15:06:25.320: ISAKMP (0:1): purging SA., sa=820DF1D8, delme=820DF1D8un al

l

All possible debugging has been turned off

*****

Note: both routers are synchronized with the CA.

Any idea?

Think you

2 REPLIES
New Member

Re: Problem with CA certificate request !!

Here some info that can help for troubleshooting:

Debug from the other peer:

****

01:25:14: ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 100.0.0.102

****

one IOS > 12.3, the other one < 12.3, i guess this will not affect the compatibility.

New Member

Re: Problem with CA certificate request !!

I resolved the problem partially, there is no more enrollment reject from the CA, I had to enroll with different passwords (different accounts on the CA). But the IKE phase 1 still fail and the CA console management does not show any trace of the enrollment!!

386
Views
0
Helpful
2
Replies