Unable to authenticate certs after MSCEP reinstall
The CEP certificate on our CA expired and, not being able to renew it, we were told to re-install the MSCEP program. This meant were able to auto-enrol certificates from the Cisco VPN client but there was a problem actually using them. There is only one CA.
The VPN concentrators are both Cisco VPN 3000 series. The existing unit has certificates issued prior to SCEP re-install, the new (spare) unit has freshly cut certificates.
Certificates issued both manually and via MSCEP will not authenticate on the existing VPN concentrator. They are able to authenticate against the spare concentrator. Existing certificates are able to authenticate against the existing concentrator but not against the spare.
In each case the client shows the same error Received un-encrypted ISAKPM packet, but our SA is crypto active. The spare concentrators error log complains: Unable to complete certificate chain, reason = Incomplete certificate chain
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...