Re: WAAS Express registration troubleshooting

jalen · ‎03-20-2011

dear Experts

The CISCO1941 Router can't registrat to the CM , how to troubleshooting...

R19-WEX#waas cm-register https://10.202.250.200:8443/wcm/register
R19-WEX#
*Mar 21 11:44:45.383: %WAAS-3-WAAS_CM_REGISTER_FAILED: IOS-WAAS registration with Central Manager failed for the following reason: WAAS Express device certificate is not yet valid.10.10.10.91
R19-WEX#

Michael Korenbaum · ‎03-22-2011

Hi,

It seems you forgot to do step 3 listed in the configuration guide:

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v431/configuration/guide/other.html#wp1062469

Step 3 is configure a persistent self-signed certificate, the details on how to do this are documented below.

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v431/configuration/guide/other.html#wp1063273

Regards,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

jalen · ‎03-22-2011

dear Mike

I'm not forget the step 3 ; now i erase and re-config it but still can't ..

R19-WAE(config)#crypto pki trustpoint WCM
R19-WAE(ca-trustpoint)#enrollment terminal pem
R19-WAE(ca-trustpoint)#exit
R19-WAE(config)#crypto pki authenticate WCM

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIDiTCCAvKgAwIBAgIBFDANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMx
.....
0hab/8LpIBsam8zbBiQs6WisAfOmCfKmAptlYSe/21OVlOKuLGLHKw3mOO/D
-----END CERTIFICATE-----

Certificate has the following attributes:
Fingerprint MD5: 244BEDD2 6CDF980A AED0C7C9 AAB27CAB
Fingerprint SHA1: B2C157E7 61C89AB8 636DABF7 C28F3927 3311D7C2

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

R19-WAE(config)#ip domain-name waas.local
R19-WAE(config)#crypto pki trustpoint R19-WAE
R19-WAE(ca-trustpoint)#enrollment selfsigned
R19-WAE(ca-trustpoint)#rsakeypair R19 1024
R19-WAE(ca-trustpoint)#exit
R19-WAE(config)#crypto pki enroll R19-WAE
% Include the router serial number in the subject name? [yes/no]:
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: 10.10.10.91
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

R19-WAE(config)#ip http secure-server
R19-WAE(config)#ip http authentication local
R19-WAE(config)#end
R19-WAE#
R19-WAE#waas cm-register https://10.202.250.200:8443/wcm/register
R19-WAE#
*Mar 23 11:06:23.643: %WAAS-3-WAAS_CM_REGISTER_FAILED: IOS-WAAS registration with Central Manager failed for the following reason: WAAS Express device certificate is not yet valid.10.10.10.91
R19-WAE#wr
Building configuration...
[OK]
R19-WAE#
R19-WAE#waas cm-register https://10.202.250.200:8443/wcm/register
R19-WAE#
*Mar 23 11:06:56.583: %WAAS-3-WAAS_CM_REGISTER_FAILED: IOS-WAAS registration with Central Manager failed for the following reason: WAAS Express device certificate is not yet valid.10.10.10.91
R19-WAE#

Michael Korenbaum · ‎03-24-2011

Try removing the wcm trustpoint you created, and recreate it, but this time when you import the PEM certificate do NOT include the lines ---Begin Certicate--- and ----End Certificate----. Just paste the information between those two lines and hit enter.

I just ran through this procedure in my lab and had no problems registering my 1941 WAAS Express device to the CM.

Regards,

Mike

pevaneyn · ‎03-28-2011

Hello,

From the "not yet valid" part I'm suspecting that maybe you have a time/date issue?

What is the time on the router and on the CM, are they in sync?

You can check the validity of the certificate with:

cdn-1941-1#show crypto pki certificates | i Trustpoint|date

start date: 04:20:57 UTC Feb 13 2011

end date: 00:00:00 UTC Jan 1 2020

Associated Trustpoints: TP-self-signed-1975700381

start date: 16:23:22 UTC Dec 17 2010

end date: 16:23:22 UTC Dec 16 2015

Associated Trustpoints: cdn-wave-274-1

do they make sense?

Best regards, Peter