cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6897
Views
4
Helpful
11
Replies

PKI Issue with APIC-EM 1.3 + IWAN

Hilario Martin
Level 4
Level 4

Hi,

after upgrading (reinstalling) from EM 1.2 version to 1.3 we have tried to deploy IWAN with 2 remote Sites and 2 Service Provider  (DCs)

and have no problems deploying HUB site but we have an issue with TRANIST-HUB-1 with these error:

Router debug:

*Oct 27 13:08:25.251 GMT: CRYPTO_PKI: status = 0x747(E_EOS : end of i/o stream): Imported PKCS12 file failure

*Oct 27 13:08:25.251 GMT: %PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.

APIC-EM Audit:

Underlay and Overlay configuration in site TRANSIT-HUB-1 failed. PKI configuration failed for device 10.X.X.1

Failed to download PKCS12

We have tested this topology before with version 1.2 and was working as expected.

Any idea about it?

Thanks in advanced.

1 Accepted Solution

Accepted Solutions

Hilario Martin
Level 4
Level 4

sorry, is resolved it was a routing EM issue.

Regards.

View solution in original post

11 Replies 11

Hilario Martin
Level 4
Level 4

sorry, is resolved it was a routing EM issue.

Regards.

cchitnis
Cisco Employee
Cisco Employee

So long as the correct configuration is pushed from apic-em-pki-broker service through apic-em-network-programmer on behalf of iWAN Manager (visibility-service), the actual download of PKCS12 certs would depend on routing and firewalling etc. between the actual device and APIC-EM controller.

Alex Pfeil
Level 7
Level 7

Can you be more specific on the fix? I am running into the same issue.

Thanks,

Alex

make sure you have reachability from APIC-EM via both underlay and overlay IP address ranges on the device.

If the device is only accessible from a public IP, how can the underlay and overlay IP address ranges be reachable before the DMVPN tunnel is created?

Hello.. did you get an answer for this ?

i am also in same fix, please suggest

hello.. can you elaborate please, I am able to ping my remote site devices from APIC EM and vice versa.

I already provisioned 3 sites with same settings, no version change on APIC EM but started getting message like.

PKI configuration in site XXXX for device XXXX failed. trust-point create: enrollment failed
I am using APIC EM 1.6.0 version
immediate response would be appreciated as I am stuck in mid of deployments.

Hello!

 

Can you help me with this?, I have the same problem so I need to know how you resolved the problem, I will appreciate any help.

 

Thank you,

Jatinder, Diana,
I have not worked on APIC-EM iWAN App for more than a year now; however, as this thread suggests, the only problem I can see with this is routing not being set-up correctly. As Adam suggests above, make sure you have reachability from APIC-EM via both underlay and overlay IP address ranges on the device.

cchitnis Thanks for you reply, 

 

The problem is, I have connectivity from APIC to the Branch my error is the next: 

 

Underlay and overlay configuration in site xxx failed

PKI configuration failed for device Y.Y.Y.Y

 

Even the branch wan not configured with the lookback interface, the APIC was no able to push any kind of configuration into de branch.

 

Best Regards,

You are probably running into https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk38328

 

...TAC can help you to fix this.