About michael.leblanc

michael.leblanc · 12-12-2012

Forum:I have a group of routers participating in two parallel NHRP Networks. One of the NHRP networks receives tunnel protection (DMVPN), the other does not. The DMVPN was using certificate maps, and worked well.I want to apply tunnel protection to t...

michael.leblanc · 12-04-2012

The ISAKMP SA lifetime for one of our DMVPNs is set to ~ 24 hours in the following ISAKMP policy:crypto isakmp policy 3 encr 3des group 2 lifetime 86399Despite this, the Crytpo tunnels go down every 2 hours. They come back up after about 4 seconds.We...

michael.leblanc · 12-04-2012

Trying to install a second certificate issued by the same Certificate Authority (CA). However, the new certificate replaces it's predecessor.Original Certificate Enrollment Config:crypto pki trustpoint ca.domain.null enrollment url http://ca.domain.n...

michael.leblanc · 10-20-2010

Note: These messages have been extracted from Syslog Message Fields in a Wireshark trace file, so the leading numbers (e.g.: 86771, 86743) are not being pre-pended by the syslog server.Example of a syslog message with "service sequence-numbers" NOT c...

michael.leblanc · 07-27-2010

We setup a Cisco IOS Certificate Server, and successfully issued several certificates (via SCEP enrollment) to routers participating in a DMVPN. We then tried to enroll a c3550 (c3550-ipservicesk9-mz.122-52.SE) via SCEP, but encountered an issue with...

michael.leblanc · 12-13-2012

Marcin:Yes, the two Tunnel interfaces (T0, T1), are using the same physical interface as the "tunnel source interface".That is the primary reason that I have pursued the dual certificate configuration, so that I could differentiate the two crypto t...

michael.leblanc · 12-13-2012

Marcin:The debug statement "Peer matches *none* of the profiles" is expected prior to processing of the CERT payload.I've attached an excerpt from a Cisco document as a reference.I will simplify the cert maps anyways, and reintroduce more complexity ...

michael.leblanc · 12-12-2012

Forum:The attachment titled "ISAKMP Debug - Spoke.pdf" contained a typo, as acknowledged in the edit.I needed to scrub the files of production labels, and missed a simple replacement. The spoke debug refers to the spoke as br08-edg01.domain.null, ...

michael.leblanc · 12-12-2012

Marcin:"You can have different trustpoints with same issuer certificate, no need to use two different CAs."That's the part I needed to hear. Thanks.Have the new certificates installed, but I've encountered difficulty with the hub sending the wrong ce...

michael.leblanc · 12-07-2012

Marcin:Thank you for the response, and feedback.Unfortunately, my last reply at Dec 7, 2012 1:15 AM, which contained the solution, and was most likely the one you intended to respond too, wasn't the one that received your generous rating, drawing att...

Member Since	‎04-06-2005 09:02 AM
Date Last Visited	‎08-18-2017 03:53 AM
Posts	373
Total Helpful Votes Received	171

User Statistics

User Activity

DMVPN - Constructing a CERT payload with the wrong certificate.

NHRP brings DMVPN down, every two hours.

Installing 2nd Certificate from the same CA.

Syslog Sequence Numbering

c3550 certificate storage issue.

Re: DMVPN - Constructing a CERT payload with the wrong certifica

Re: DMVPN - Constructing a CERT payload with the wrong certifica

Re: DMVPN - Constructing a CERT payload with the wrong certifica

Re: Installing 2nd Certificate from the same CA.

Re: NHRP brings DMVPN down, every two hours.