cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

DMVPN tunnel not does not come up with Cisco IOS Certificate Server on the router

5135
Views
0
Helpful
0
Comments

Core issue

While using certificate for authentication in Dynamic Multipoint VPN (DMVPN) setup, the router displays these debugs:

  • May 18 18:45:57.370: ISAKMP:(13025): processing CERT payload. message ID = 0

  • May 18 18:45:57.370: ISAKMP:(13025): processing a CT_X509_SIGNATURE cert

  • May 18 18:45:57.370: ISAKMP:(13025): peer's pubkey isn't cached

  • May 18 18:45:57.370: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from ( ipaddress )is bad: CA request failed!

This issue is documented in Cisco bug ID CSCec14252.

Resolution

To resolve this issue, perform these steps:

  • Create trust point on both sides.

  • Syncronize date and time on the routers (Network Time Protocol (NTP) is preferred).

  • Configure the hostname and domain.

  • Make sure you have generated an RSA key.

  • Define the Certification Authority (CA).

  • Authenticate the CA.

  • Enroll with the CA

For additional help, refer to Prerequisites for Cisco IOS Certificate Server and Dynamic Multipoint VPN.

For help enrolling a Cisco IOS router to another Cisco IOS router configured as a CA server, refer to Certificate enrollment.