Showing results for 
Search instead for 
Did you mean: 

DMVPN tunnel not does not come up with Cisco IOS Certificate Server on the router


Core issue

While using certificate for authentication in Dynamic Multipoint VPN (DMVPN) setup, the router displays these debugs:

  • May 18 18:45:57.370: ISAKMP:(13025): processing CERT payload. message ID = 0

  • May 18 18:45:57.370: ISAKMP:(13025): processing a CT_X509_SIGNATURE cert

  • May 18 18:45:57.370: ISAKMP:(13025): peer's pubkey isn't cached

  • May 18 18:45:57.370: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from ( ipaddress )is bad: CA request failed!

This issue is documented in Cisco bug ID CSCec14252.


To resolve this issue, perform these steps:

  • Create trust point on both sides.

  • Syncronize date and time on the routers (Network Time Protocol (NTP) is preferred).

  • Configure the hostname and domain.

  • Make sure you have generated an RSA key.

  • Define the Certification Authority (CA).

  • Authenticate the CA.

  • Enroll with the CA

For additional help, refer to Prerequisites for Cisco IOS Certificate Server and Dynamic Multipoint VPN.

For help enrolling a Cisco IOS router to another Cisco IOS router configured as a CA server, refer to Certificate enrollment.