ISR 4451 High CPU usage after enable CA

wabbot22 · ‎01-04-2023

High community,
I´ve installed a new CA on a 4451, because I want to shutdown the old CA on a 2921.
I used nearly the same config on the 4451 as on the 2921 of course different URL IP and so on.
The config looks Ok, and the startup of the CA looks normal, but I can see 100% CPU usage after I´ve no shut the CA.
The Logging shows:
Jan 4 08:56:17.306: CRYPTO_PKI: Rcvd request to end PKI session ADA0F.
Jan 4 08:56:17.306: CRYPTO_PKI: PKI session ADA0F has ended. Freeing all resources.
Jan 4 08:56:17.306: CRYPTO_PKI: unlocked trustpoint SLA-TrustPoint, refcount is 0
Jan 4 08:56:17.336: CRYPTO_PKI: (ADA10) Session started - identity selected (SLA-TrustPoint)
Jan 4 08:56:17.337: CRYPTO_PKI: Rcvd request to end PKI session ADA10.
Jan 4 08:56:17.337: CRYPTO_PKI: PKI session ADA10 has ended. Freeing all resources.
Jan 4 08:56:17.337: CRYPTO_PKI: unlocked trustpoint SLA-TrustPoint, refcount is 0
Jan 4 08:56:17.339: CRYPTO_PKI: (ADA11) Session started - identity selected (SLA-TrustPoint)
Jan 4 08:56:17.339: CRYPTO_PKI: Rcvd request to end PKI session ADA11.

Several times in a second. The Truspoint SLA-Trustpoint is buildin.
The configuration from the CA:

crypto pki server CA2
database level complete
database archive pem password xxxxxxx
issuer-name CN=xyz
hash sha512
lifetime crl 4
lifetime certificate 730
lifetime ca-certificate 3650
shutdown
database url bootflash:/ca2/
database url crl bootflash:/ca2/crl/
database url pem bootflash:/ca2/pem/
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
crypto pki trustpoint CA2
revocation-check crl
rsakeypair CA2-KEY

Has anyone an idea what could be the reason ?

Thanks

P.s. After shutdown the CA the CPU Usage looks normal....

balaji.bandi · ‎01-04-2023

Can you post show version and show process CPU (when you enable CA ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-04-2023

unlocked trustpoint SLA-TrustPoint <<-

sorry for my little info. but if you run smart license that need CA to check Certf. and you config CA as server so I think there is Loop.
I will make deep dive if I found something I will update you

Georg Pauwen · ‎01-05-2023

Hello,

without having seen the full config of your 4451, is NTP configured correctly, that is, does the time synchronize (either use NTP or the 'clock calendar-valid' config command) ?

wabbot22 · ‎01-05-2023

Hi, and thanks for all the answers.
Yes NTP is configured correctly and synchronized well.
I´ve enabled the CA again, and..... nothing happens.
Means it works well now, but why...? I don´t know.
I´ve shut / no shut the CA several times, no problem.
I don´t have any idea what happens. There was no config change for 100%.
I will take a clother look during the next days, if it runs stable....

balaji.bandi · ‎01-05-2023

Yes NTP is configured correctly and synchronized well. - is this configured before
I´ve enabled the CA again, and..... nothing happens. - is this fixed after NTP config ?

since we asked information before - nothing we got back, so you go favour of Luck then.

Look at the Logs - look at process, what CPU consuming. - is this one time incident ? or co-incident with other issue ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

wabbot22 · ‎01-05-2023

Yes, NTP runs stable since router was UP.
And nothing was changed at the config, because I´m the only person
with the credentials...
Yesterday the error ocurrs several times, but now nothing. It works fine....
Strange...

balaji.bandi · ‎01-05-2023

Sure then this is onetime and no evidence show its becuase of CA only

Monitor and glad you able to fix the issue (automatically)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help