Re: CRL question, LDAP request goes to 255.255.255.255

jlacis · ‎05-26-2003

I am trying to get CRL on Router 3620 with IOS=12.2(11)T6 (c3620-ik9s-mz.122-11.T6.bin) but LDAP request seems to be sent to 255.255.255.255 not the right address - 10.10.2.49 !

Configuration looks like this :

ip domain name lmt.lv

ip host tau.2k.mydom.net 10.10.2.49

ip host tau 10.10.2.49

!

crypto ca trustpoint LMT-PKI

enrollment mode ra

enrollment url http://tau:80/certsrv/mscep/mscep.dll

usage ike

serial-number

ip-address 10.10.90.240

crl query ldap://10.10.2.49

If I try to get CRL, it seems router is trying LDAP on broadcast address, output of "debug crypto pki transactions" :

r-c3620-vpn1(config)#crypto ca crl request LMT-PKI

r-c3620-vpn1(config)#ldap search: server=255.255.255.255, base=CN=TestCA,CN=tau,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=2k,DC=mydom,DC=net, attribute=certificateRevocationList

: scope=0, filter=objectclass=cRLDistributionPoint

May 26 16:37:58.993: CRYPTO_PKI:ldap_bind ERROR: status = 82

May 26 16:37:58.993: CRYPTO_PKI: ldap bind error: status = 82

May 26 16:37:58.993: CRYPTO_PKI: transaction GetCRL completed

I suppose it should go to the address specified with "crl query ldap://10.10.2.49" but it does not ?

I have successfully got certificates of the CA and the router itself :

r-c3620-vpn1>show crypto ca certificates

Certificate

Status: Available

Certificate Serial Number: 610D081E000000000009

Certificate Usage: General Purpose

Issuer:

CN = TestCA

OU = LMT-VPN

O = LMT-VPN

L = Riga

ST = Riga

C = LV

EA =<16> user@domain.lv

Subject:

Name: r-c3620-vpn1.lmt.lv

IP Address: 10.10.90.240

Serial Number: 21464125

OID.1.2.840.113549.1.9.2 = r-c3620-vpn1.lmt.lv

OID.1.2.840.113549.1.9.8 = 10.10.90.240

OID.2.5.4.5 = 21464125

CRL Distribution Point:

ldap:///CN=TestCA,CN=tau,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=2k,DC=mydom,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint

Validity Date:

start date: 14:29:10 EEST May 15 2003

end date: 14:29:10 EEST May 14 2005

renew date: 02:00:00 EET Jan 1 1970

Associated Trustpoints: LMT-PKI

CA Certificate

Status: Available

Certificate Serial Number: 49F2340E73872AB44CCAD9CB46657697

Certificate Usage: General Purpose

Issuer:

CN = TestCA

OU = LMT-VPN

O = LMT-VPN

L = Riga

ST = Riga

C = LV

EA =<16> user@domain.lv

Subject:

CN = TestCA

OU = LMT-VPN

O = LMT-VPN

L = Riga

ST = Riga

C = LV

EA =<16> user@domain.lv

CRL Distribution Point:

ldap:///CN=TestCA,CN=tau,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=2k,DC=mydom,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint

Validity Date:

start date: 12:25:09 EEST May 15 2003

end date: 12:30:06 EEST May 15 2005

Associated Trustpoints: LMT-PKI

Anybody can tell where is my fault ?

Many thanks !

jfrahim · ‎05-27-2003

upgrade the code to 12.2(13)T or higher to get the fix

Jazib

jlacis · ‎05-28-2003

Thanks for advice ! It helped. Actually this is quite often my favorite suggestion: try to upgrade IOS, if somebody is complaining about bugs in IOS. At this time I failed to advise myself :-)( The confusion was caused because I was looking at Feature Navigator for the feature "Easy VPN Server" with the smallest Feature Set for 3DES which was "IP Plus IPSec 3DES" and the only release Cisco offered was 12.2(11)T ! After Your advise I looked again at feature navigator and it turned out that there are 12.2(13)T but only IP/FW/IDS PLUS IPSEC 3DES. After upgrade to this release CRLS and LDAP started to work.