Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Unable to authenticate certs after MSCEP reinstall

The CEP certificate on our CA expired and, not being able to renew it, we were told to re-install the MSCEP program. This meant were able to auto-enrol certificates from the Cisco VPN client but there was a problem actually using them. There is only one CA.

The VPN concentrators are both Cisco VPN 3000 series. The existing unit has certificates issued prior to SCEP re-install, the new (spare) unit has freshly cut certificates.

Certificates issued both manually and via MSCEP will not authenticate on the existing VPN concentrator. They are able to authenticate against the spare concentrator. Existing certificates are able to authenticate against the existing concentrator but not against the spare.

In each case the client shows the same error – Received un-encrypted ISAKPM packet, but our SA is crypto active. The spare concentrator’s error log complains: “Unable to complete certificate chain, reason = Incomplete certificate chain”

CreatePlease to create content