Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Forum:I have a group of routers participating in two parallel NHRP Networks. One of the NHRP networks receives tunnel protection (DMVPN), the other does not. The DMVPN was using certificate maps, and worked well.I want to apply tunnel protection to t...
The ISAKMP SA lifetime for one of our DMVPNs is set to ~ 24 hours in the following ISAKMP policy:crypto isakmp policy 3 encr 3des group 2 lifetime 86399Despite this, the Crytpo tunnels go down every 2 hours. They come back up after about 4 seconds.We...
Trying to install a second certificate issued by the same Certificate Authority (CA). However, the new certificate replaces it's predecessor.Original Certificate Enrollment Config:crypto pki trustpoint ca.domain.null enrollment url http://ca.domain.n...
Note: These messages have been extracted from Syslog Message Fields in a Wireshark trace file, so the leading numbers (e.g.: 86771, 86743) are not being pre-pended by the syslog server.Example of a syslog message with "service sequence-numbers" NOT c...
We setup a Cisco IOS Certificate Server, and successfully issued several certificates (via SCEP enrollment) to routers participating in a DMVPN. We then tried to enroll a c3550 (c3550-ipservicesk9-mz.122-52.SE) via SCEP, but encountered an issue with...
Marcin:Yes, the two Tunnel interfaces (T0, T1), are using the same physical interface as the "tunnel source interface".That is the primary reason that I have pursued the dual certificate configuration, so that I could differentiate the two crypto t...
Marcin:The debug statement "Peer matches *none* of the profiles" is expected prior to processing of the CERT payload.I've attached an excerpt from a Cisco document as a reference.I will simplify the cert maps anyways, and reintroduce more complexity ...
Forum:The attachment titled "ISAKMP Debug - Spoke.pdf" contained a typo, as acknowledged in the edit.I needed to scrub the files of production labels, and missed a simple replacement. The spoke debug refers to the spoke as br08-edg01.domain.null, ...
Marcin:"You can have different trustpoints with same issuer certificate, no need to use two different CAs."That's the part I needed to hear. Thanks.Have the new certificates installed, but I've encountered difficulty with the hub sending the wrong ce...
Marcin:Thank you for the response, and feedback.Unfortunately, my last reply at Dec 7, 2012 1:15 AM, which contained the solution, and was most likely the one you intended to respond too, wasn't the one that received your generous rating, drawing att...
