Hi everyone,
I am observing a "weird" behavior of numerous similarly configured devices in a GETVPN enviroment and was hoping for some pointers.
all commands are executed on the GM
#sh ver | i IOS
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)
GM is enrolled with 2 SubCAs.
#sh run | s trustpoint
crypto pki trustpoint SubCA01
enrollment url $url
subject-name ...
revocation-check none
rsakeypair CertKeys.SubCA01
auto-enroll 70
crypto pki trustpoint SubCA02
enrollment url $url
subject-name ...
revocation-check none
rsakeypair CertKeys.SubCA02
auto-enroll 70
#sh cryp pki cert | i cn
cn=SubCA02
cn=$router
cn=RootCA
cn=SubCA02
cn=SubCA01
cn=$router
cn=RootCA
cn=SubCA01
registration with KS1 and KS2 works fine, crypto map is applied, ipsec sa comes up all good. (no output, because problem isn't gdoi related)
Now here's the problem relating to obtaining the rollover certs:
All possible crypto pki debugging is activated and term mon'd
#sh cryp pki tim
PKI Timers
| 1.308
| 1.308 SHADOW SubCA02
| 27d22:56:14.428 SHADOW SubCA01
#
Oct 1 09:54:42.075: PKI: Shadow timer went off forSubCA02
Oct 1 09:54:42.075: PKI:get_cert SubCA02 0x10 (expired=0):
Oct 1 09:54:42.075: PKI:get_cert SubCA02 0x10 (expired=0):
#
#sh cryp pki tim
PKI Timers
| 59:30.308
| 59:30.308 SHADOW SubCA02
| 27d22:55:43.428 SHADOW SubCA01
As seen above, the device registers the timer firing, but does nothing. It does not try to obtain a rollover cert. Manually enrolling with the corresponding trustpoint immediately afterwards works fine and the rollover cert is obtained with no issues whatsoever.
Above behavior persists through a reload and does not affect all devices in the GETVPN, which are configured identically in regards to GETVPN and have the exact same IOS and hardware.
Any ideas? Thx in advance for taking the time.
[EDIT: is this not enough information? if so, please point me to what is required so I can provide it. thanks]