Hi Everyone,IPSE
sorry I want to ask, regarding the log in our ipsec
our client uses cisco ASR1001x, yesterday there were changes from the ipsec side,
after the changes there was a strange log that came out, the log is like this

1586076: Oct 1 07:41:23.136 WIB: CRYPTO_PKI: locked trustpoint IPSEC02, refcount is 1
1586077: Oct 1 07:41:23.136 WIB: CRYPTO_PKI: http connection opened via VRF IWAN-LINK-1
1586078: Oct 1 07:41:23.136 WIB: CRYPTO_PKI: Sending HTTP message
1586079: Oct 1 07:41:23.136 WIB: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 10.3.0.7
1586080: Oct 1 07:41:23.143 WIB: CRYPTO_PKI: unlocked trustpoint IPSEC02, refcount is 0
1586081: Oct 1 07:41:23.143 WIB: CRYPTO_PKI: locked trustpoint IPSEC02, refcount is 1
1586082: Oct 1 07:41:23.152 WIB: CRYPTO_PKI: unlocked trustpoint IPSEC02, refcount is 0
1586083: Oct 1 07:41:23.152 WIB: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 01 Oct 2024 00:41:23 GMT
Connection: close
Accept-Ranges: none
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Type indicates we did not receive a certificate.
1586084: Oct 1 07:41:23.152 WIB: %Error in connection to Certificate Authority: status = FAIL
1586085: Oct 1 07:41:23.152 WIB: %PKI-2-CERT_SHADOW_INSTALL_FAIL: Content-Type indicates we did not receive CA certificate for Trustpoint :IPSEC02.
1586086: Oct 1 07:41:23.152 WIB: PKI: Shadow state for IPSEC02 now GET_NEW_CA_CERT_WAIT_FOR_RETRY
1586087: Oct 1 07:41:23.152 WIB: PKI:get_cert IPSEC02 0x10 (expired=0):
1586088: Oct 1 07:41:23.153 WIB: PKI: Shadow state for IPSEC02 now GET_NEW_CA_CERT

After changes like this..

IPSEC02#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IPSEC02(config)#
IPSEC02(config)#crypto pki trustpoint IPSEC02-BR
IPSEC02(ca-trustpoint)# enrollment retry count 5
IPSEC02(ca-trustpoint)# enrollment retry period 3
IPSEC02(ca-trustpoint)# enrollment url http://192.168.1.10:80
IPSEC02(ca-trustpoint)# serial-number none
IPSEC02(ca-trustpoint)# fqdn IPSEC02.kedaikita.com
IPSEC02(ca-trustpoint)# ip-address 192.168.2.10
IPSEC02(ca-trustpoint)# password 7 ******************
IPSEC02(ca-trustpoint)# fingerprint ****** ****** ****** ******
IPSEC02(ca-trustpoint)# subject-alt-name IPSEC02.kedaikita.com
IPSEC02(ca-trustpoint)# vrf IWAN-LINK-1
IPSEC02(ca-trustpoint)# revocation-check crl none
IPSEC02(ca-trustpoint)# rsakeypair IPSEC02 2048 2048
IPSEC02(ca-trustpoint)# auto-enroll 70
IPSEC02(ca-trustpoint)# hash sha256
IPSEC02(ca-trustpoint)#
IPSEC02(ca-trustpoint)#exit
IPSEC02(config)#crypto pki authenticate IPSEC02-BR
Trustpoint 'IPSEC02-BR' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: ****** ****** ****** ******
Fingerprint SHA1: ****** ****** ****** ******
Trustpoint Fingerprint: ****** ****** ****** ******
Certificate validated - fingerprints matched.
Trustpoint CA certificate accepted.
IPSEC02(config)#
IPSEC02(config)#
IPSEC02(config)#crypto pki enroll IPSEC02-BR
Trustpoint IPSEC02-BR is in rollover mode.
If you successfully re-enroll this trustpoint,
a shadow certificate will be obtained.
This will not effect the router certificate.

Do you want to continue with re-enrollment? [yes/no]: yes
Shadow enrollment will begin in 30 seconds and will
proceed in the background. You will be prompted to save
the configuration when the shadow enrollment completes

IPSEC02(config)#crypto pki crl download trustpoint IPSEC02-BR
IPSEC02(config)#
IPSEC02(config)#
IPSEC02(config)#end

Please help me, friends