Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
1
Replies

2901 as a CA server

Jason P.
Level 1
Level 1

‎10-14-2015 12:56 PM - edited ‎03-05-2019 06:58 AM

I have a 2901 running c2900-universalk9-mz.SPA.151-4.M4 and it is acting as our CA server. We have quite a few remote routers that use this 2900 for certificate enrollment. Now we are seeing the following in these remote routers:

Oct 14 2015 19:26:37.059 UTC: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
Oct 14 19:27:12.075: CRYPTO_PKI: Socket timeout
Oct 14 2015 19:31:25.870 UTC: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
Oct 14 2015 19:32:35.914 UTC: %PKI-3-SOCKETSEND: Failed to send out message to CA server.
 

We've adjusted the number of concurrent HTTP sessions in accordance with the article below:

http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/118734-probsol-ca-00.html

 

The errors are still present but are not appearing as frequently.

My question is, what are the limits of using this 2901 as a CA server? Are we simply overwhelming this system?

 

Labels:
0 Helpful
1 Reply 1

Jason P.
Level 1
Level 1

‎10-22-2015 10:08 AM

A colleague contacted Cisco and was able to further increase the number of concurrent http sessions by installing an upgraded license. Seems to be both platform and license specific.


From Cisco:


From an IOS CLI perspective, the ISR 2900 and onwards do appear to "allow" configuring in excess of 16 concurrent HTTP connections. For example:


ISR2921-4(config)#ip http max-connections ?

  <1-1000>  Maximum number of concurrent http server connections


See page 40 in the IOS HTTP Services Command Reference, "platform-specific implementations can supersede the upper range limit of 16".

 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/command/nm-https-cr-book.pdf


"Platform-specific implementations can supersede the upper range limit of 16.

If a new value is configured that is less than the previously configured value while the current number of connections exceeds the new maximum value, the HTTP server will not abort any of the current connections.

However, the server will not accept new connections until the current number of connections falls below the new configured value."

 

So far, we've seen no negative impact to performance and the PKI client side errors shown above have ceased.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card