Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6165
Views
0
Helpful
0
Comments

DMVPN tunnel not does not come up with Cisco IOS Certificate Server on the router

TCC_2
Level 10
Level 10

on ‎06-22-2009 04:44 PM

Core issue

While using certificate for authentication in Dynamic Multipoint VPN (DMVPN) setup, the router displays these debugs:

  • May 18 18:45:57.370: ISAKMP:(13025): processing CERT payload. message ID = 0

  • May 18 18:45:57.370: ISAKMP:(13025): processing a CT_X509_SIGNATURE cert

  • May 18 18:45:57.370: ISAKMP:(13025): peer's pubkey isn't cached

  • May 18 18:45:57.370: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from ( ipaddress )is bad: CA request failed!

This issue is documented in Cisco bug ID CSCec14252.

Resolution

To resolve this issue, perform these steps:

  • Create trust point on both sides.

  • Syncronize date and time on the routers (Network Time Protocol (NTP) is preferred).

  • Configure the hostname and domain.

  • Make sure you have generated an RSA key.

  • Define the Certification Authority (CA).

  • Authenticate the CA.

  • Enroll with the CA

For additional help, refer to Prerequisites for Cisco IOS Certificate Server and Dynamic Multipoint VPN.

For help enrolling a Cisco IOS router to another Cisco IOS router configured as a CA server, refer to Certificate enrollment.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents