05-26-2003 11:38 PM - edited 02-20-2020 10:45 PM
I am trying to get CRL on Router 3620 with IOS=12.2(11)T6 (c3620-ik9s-mz.122-11.T6.bin) but LDAP request seems to be sent to 255.255.255.255 not the right address - 10.10.2.49 !
Configuration looks like this :
ip domain name lmt.lv
ip host tau.2k.mydom.net 10.10.2.49
ip host tau 10.10.2.49
!
crypto ca trustpoint LMT-PKI
enrollment mode ra
enrollment url http://tau:80/certsrv/mscep/mscep.dll
usage ike
serial-number
ip-address 10.10.90.240
crl query ldap://10.10.2.49
If I try to get CRL, it seems router is trying LDAP on broadcast address, output of "debug crypto pki transactions" :
r-c3620-vpn1(config)#crypto ca crl request LMT-PKI
r-c3620-vpn1(config)#ldap search: server=255.255.255.255, base=CN=TestCA,CN=tau,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=2k,DC=mydom,DC=net, attribute=certificateRevocationList
: scope=0, filter=objectclass=cRLDistributionPoint
May 26 16:37:58.993: CRYPTO_PKI:ldap_bind ERROR: status = 82
May 26 16:37:58.993: CRYPTO_PKI: ldap bind error: status = 82
May 26 16:37:58.993: CRYPTO_PKI: transaction GetCRL completed
I suppose it should go to the address specified with "crl query ldap://10.10.2.49" but it does not ?
I have successfully got certificates of the CA and the router itself :
r-c3620-vpn1>show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 610D081E000000000009
Certificate Usage: General Purpose
Issuer:
CN = TestCA
OU = LMT-VPN
O = LMT-VPN
L = Riga
ST = Riga
C = LV
EA =<16> user@domain.lv
Subject:
Name: r-c3620-vpn1.lmt.lv
IP Address: 10.10.90.240
Serial Number: 21464125
OID.1.2.840.113549.1.9.2 = r-c3620-vpn1.lmt.lv
OID.1.2.840.113549.1.9.8 = 10.10.90.240
OID.2.5.4.5 = 21464125
CRL Distribution Point:
ldap:///CN=TestCA,CN=tau,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=2k,DC=mydom,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint
Validity Date:
start date: 14:29:10 EEST May 15 2003
end date: 14:29:10 EEST May 14 2005
renew date: 02:00:00 EET Jan 1 1970
Associated Trustpoints: LMT-PKI
CA Certificate
Status: Available
Certificate Serial Number: 49F2340E73872AB44CCAD9CB46657697
Certificate Usage: General Purpose
Issuer:
CN = TestCA
OU = LMT-VPN
O = LMT-VPN
L = Riga
ST = Riga
C = LV
EA =<16> user@domain.lv
Subject:
CN = TestCA
OU = LMT-VPN
O = LMT-VPN
L = Riga
ST = Riga
C = LV
EA =<16> user@domain.lv
CRL Distribution Point:
ldap:///CN=TestCA,CN=tau,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=2k,DC=mydom,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint
Validity Date:
start date: 12:25:09 EEST May 15 2003
end date: 12:30:06 EEST May 15 2005
Associated Trustpoints: LMT-PKI
Anybody can tell where is my fault ?
Many thanks !
05-27-2003 07:38 PM
upgrade the code to 12.2(13)T or higher to get the fix
Jazib
05-28-2003 11:35 PM
Thanks for advice ! It helped. Actually this is quite often my favorite suggestion: try to upgrade IOS, if somebody is complaining about bugs in IOS. At this time I failed to advise myself :-)( The confusion was caused because I was looking at Feature Navigator for the feature "Easy VPN Server" with the smallest Feature Set for 3DES which was "IP Plus IPSec 3DES" and the only release Cisco offered was 12.2(11)T ! After Your advise I looked again at feature navigator and it turned out that there are 12.2(13)T but only IP/FW/IDS PLUS IPSEC 3DES. After upgrade to this release CRLS and LDAP started to work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: