Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About michael.leblanc
08-18-2017
Stats
Member since
04-06-2005
373
Posts
166
Helpful
25
Solutions
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-13-2012
09:18 AM
12-13-2012
09:18 AM
Marcin: Yes, the two Tunnel interfaces (T0, T1), are using the same physical interface as the "tunnel source interface". That is the primary reason that I have pursued the dual certificate configuration, so that I could differentiate the two crypto tunnels. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-13-2012
09:16 AM
12-13-2012
09:16 AM
Marcin: The debug statement "Peer matches *none* of the profiles" is expected prior to processing of the CERT payload. I've attached an excerpt from a Cisco document as a reference. I will simplify the cert maps anyways, and reintroduce more complexity after achieving base functionality. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-12-2012
12:17 PM
12-12-2012
12:17 PM
Forum: The attachment titled "ISAKMP Debug - Spoke.pdf" contained a typo, as acknowledged in the edit. I needed to scrub the files of production labels, and missed a simple replacement. The spoke debug refers to the spoke as br08-edg01.domain.null, and the hub debug refers to the spoke as sp08-edg01.domain.null. It was the same spoke. I'm attaching a corrected file here titled: "ISAKMP Debug - Spoke (amended).pdf" Sorry for the hassle. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-12-2012
11:42 AM
12-12-2012
11:42 AM
Forum: I have a group of routers participating in two parallel NHRP Networks. One of the NHRP networks receives tunnel protection (DMVPN), the other does not. The DMVPN was using certificate maps, and worked well. I want to apply tunnel protection to the second NHRP network, with each router using a different certificate for each DMVPN it participates in. On each router I have defined two new trustpoints (same CA), each referencing different RSA key pairs. The two ISAKMP profiles each reference different trustpoints (same CA), and different certificate maps. The two certificate maps have some common criteria, but differ in the "ou" being matched. At this point, tunnel protection has not been applied to the second NHRP Network, and I've shutdown the DMVPN tunnel interfaces on all spokes, but one. I am trying to bring up a crypto tunnel between the hub and spoke, but I am encountering issues with the hub constructing a CERT payload with the wrong certificate . The certifcate received by the spoke then matches the wrong profile , and the ISAKMP exchange is aborted . Attachments to this post include debugs for the hub and spoke, and a summary of relevant crytpo configs for each. ******* Edit: My appologies for a typo in the file titled: ISAKMP Debug - Spoke.pdf I needed to scrub the files of production labels, and missed a simple replacement. The spoke debug refers to the spoke as br08-edg01.domain.null, and the hub debug refers to the spoke as sp08-edg01.domain.null. It was the same spoke. ******* Further Investigation (best read after familiarizing yourself with the configs) Reminder - Trying to bring up VPN-0, with the correct certificate on each end. When I removed the VPN-1 IPSec and ISAKMP profiles (VPN-1 cert map still present) from the hub, the hub continued to send the wrong cert (vpn-1). When I removed the VPN-1 IPSec and ISAKMP profiles (VPN-1 cert map still present) from the spoke, the tunnel came up, even though the hub sent the wrong cert (vpn-1), and it does not match the VPN-0 cert map on the spoke. Note: Before each attempt, I'm shutting down T0 interfaces, clearing crypto SAs (clear cry sa, clear cry isakmp), removing tunnel protection from T0, verifying SA the database is empty, re-applying tunnel protection, and bringing the T0 interface up, on both devices. I'm trying to get the hub to send the correct certificate (vpn-0). Any thoughts would be welcome. Best Regards, Mike
... View more
Labels:
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-12-2012
11:42 AM
12-12-2012
11:42 AM
Marcin: " You can have different trustpoints with same issuer certificate, no need to use two different CAs. " That's the part I needed to hear. Thanks. Have the new certificates installed, but I've encountered difficulty with the hub sending the wrong certificate . I think the issue is attributable to the device's inability to accommodate the common CA, or a deficiency in my configuration(s). I'm going to initiate a new discussion titled: DMVPN - Constructing a CERT payload with the wrong certificate. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-07-2012
09:58 AM
12-07-2012
09:58 AM
Marcin: Thank you for the response, and feedback. Unfortunately, my last reply at Dec 7, 2012 1:15 AM, which contained the solution, and was most likely the one you intended to respond too, wasn't the one that received your generous rating, drawing attention away from it. I thought I was doing a good thing by replying to your inquiry about the NTP peering, rather than the most recent reply in the thread. Haven't participated here for a while, so I'm not sure if there is a common practice that is adhered to. Am I generally better off just replying to the last reply in a thread, rather than inserting it where I think it might best fit? Also noticed that as the initiator of the post, I'm unable to mark the thread as answered, because the solution is within one of my own replies. If you wanted to generate a reply that references the panel containing the solution (Dec 7, 2012 1:15 AM), I'll use the "Correct Answer" on it, so that the thread gets tagged accordingly. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-06-2012
10:15 PM
12-06-2012
10:15 PM
As mentioned earlier in the post – “The dynamic entries in the caches of the NHRP Spokes were behaving differently. These expired every 120 min. (default holdtime), without being refreshed .” According to the Cisco document titled " Configuring NHRP ": “Each time a data packet is switched using an NHRP mapping entry, the “used” flag is set on the mapping entry. Then when the NHRP background process runs (every 60 seconds) the following actions occur:” The list of actions depend on the switching path (Process Switching vs. CEF Switching). Additional reading established that the opportunity to “refresh” the mapping entry occurs when the expire time is less than or equal to 120 seconds . With the background process only taking action every 60 seconds, there is a small window of opportunity to avoid expiration when spoke-to-spoke traffic is modest. We were counting on NTP peering between the spokes to maintain the tunnels . However, once the NTP peers have exchanged packets for a while the NTP polling interval extends well beyond the ~ 120 second window of opportunity to refresh the dynamic NHRP mapping entries. Without doubt, the spoke-to-spoke tunnels have been coming down per the syslog entries (%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.), during periods of modest, or no spoke-to-spoke traffic. Marcin: Per your last inquiry, I did confirm that NTP was using the crypto tunnel path on the NHRP network in question, at least during the period of observation. The SLA probe used in your earlier response seems like a sensible solution . Thank you for your participation in this post. Best Regards, Mike P.S.: Haven't forgotten about your participation in my other post titled “Installing 2nd Certificate from the same CA.” After getting a chance to explore it further, I'll get back to you.
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-06-2012
08:09 AM
12-06-2012
08:09 AM
Gurpreet: Thank you for the response. I suspect the entries you are referring to would be "static" entries for the "NHRP Server", rather than "dynamic" entries for the "spokes". Spoke-A # sh ip nhrp <Spoke-B-Tunnel-IP-addr>/32 via , Tunnel0 created 00:23:07, expire 00:06:56 Type: dynamic, Flags: router NBMA address: <Spoke-B-Global-IP-addr> <NHRP-Server-Tunnel-IP-addr>/32 via , Tunnel0 created 08:54:42, never expire Type: static, Flags: used NBMA address: <NHRP-Server-Global-IP-addr> Per the Cisco document "How to Configure NHRP": ip nhrp registration timeout 120 Changes the interval that NHRP NHCs send NHRP registration requests to configured NHRP NHSs. The NHRP registration requests are now sent every 120 seconds (default value is one third NHRP holdtime value). Observation, with the following parameters: ip nhrp holdtime 1800 ip nhrp registration timeout 300 The expiry timers for the dynamic (spoke) entries (as observed on the NHRP Server) count down from 30 min., to 25 min., and are reset to 30 min. when the next registration request arrives. Marcin's last response requires some investigation. A second (non-crypto) tunnel does exist, and load sharing would be occurring. I've expected there to be enough NTP traffic to keep the crypto tunnel up, but I need to determine whether that is actually occurring. Thank you for your interest in this post, Gurpreet. Best Regards Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-06-2012
12:44 AM
12-06-2012
12:44 AM
Marcin: Our DMVPN spokes are NTP peers, so we expect the spoke-to-spoke crypto tunnels to stay up, as they did today. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-05-2012
11:49 PM
12-05-2012
11:49 PM
Marcin: Noticed that a few of the DMVPN spokes are limited in terms of options for the ISAKMP Profile "self-identity" command. They allow specification of "fqdn", but without the ability to specify a "specific" fqdn. Am I correct in believing that these routers would not support more than one certificate (each from a different CA)? Note: We're currently matching certificate maps in ISAKMP profiles, and were looking to use different certificates for different cryptographic goals. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-05-2012
10:58 PM
12-05-2012
10:58 PM
Marcin: Thank you for your repsonse. I've reviewed our syslog files and determined that it was only spoke-to-spoke crypto tunnels that were bouncing on a two hour interval. However, during my observations today, I did not witness any bouncing of the spoke-to-spoke crypto tunnels. The dynamic entries in the NHRP Server's cache (show ip nhrp) were being refreshed every 40 minutes (1/3 of the default 120 min. holdtime), as expected. The dynamic entries in the caches of the NHRP Spokes were behaving differently. These expired every 120 min. (default holdtime) without being refreshed. I'm not sure if this behavior is normal. ISAKMP phase I and phase II SAs were renegotiated successfully according to their configured lifetimes, independent of NHRP dynamics. At this time, I do not know why the symptom prominently recorded in recent syslog files was not occurring today. Your response prompted me to take a look at some of the command references. As a result, I decided to incorporate the following: ip nhrp holdtime 1800 ip nhrp registration no-unique ip nhrp registration timeout 300 I'll monitor the routers to see if the symptom returns, and if so, whether the interval corresponds with the new holdtime. Thanks for your interest in my posting. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-05-2012
10:50 PM
12-05-2012
10:50 PM
Marcin: Thank you for your repsonse. The existing CA is a repurposed Cisco 800 series router, residing on a server VLAN. We were hoping to sidestep the provisioning of a second CA, and the resources it would consume (rack space, power consumption, etc.). We'll repurpose the next available router as a secondary CA. With regard to your statement "The trustpoint, as a container, can have only one identity cert + one CA cert at a time, everything else requires chaining (on IOS).", I presume that the output of "sh crypto pki trustpoints status" represents the "one identity cert + one CA cert" contained by the trustpoint. router# sh crypto pki trustpoints status Trustpoint ca.domain.null: Issuing CA certificate configured: Subject Name: cn=ca.domain.null Fingerprint MD5: HexBlock HexBlock HexBlock HexBlock Fingerprint SHA1: HexBlock HexBlock HexBlock HexBlock HexBlock Router General Purpose certificate configured: Subject Name: hostname=router.domain.null,c=CA,st=State,l=City,o=Company,ou=new-1,ou=new-1,cn=router.domain.null Fingerprint MD5: HexBlock HexBlock HexBlock HexBlock Fingerprint SHA1: HexBlock HexBlock HexBlock HexBlock HexBlock Next enrollment attempt: 11:05:03 EDT Apr 12 2013 * A new key will be generated * * Configuration will not be saved after enrollment * State: Keys generated ............. Yes (General Purpose, exportable) Issuing CA authenticated ....... Yes Certificate request(s) ..... Yes Open to comments. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-04-2012
01:47 PM
12-04-2012
01:47 PM
The ISAKMP SA lifetime for one of our DMVPNs is set to ~ 24 hours in the following ISAKMP policy: crypto isakmp policy 3 encr 3des group 2 lifetime 86399 Despite this, the Crytpo tunnels go down every 2 hours . They come back up after about 4 seconds. We have performed the following: Administratively shutdown the Crytpo tunnel interface (Tunnel0) Cleared out the SA database Issued the "sh ip nhrp" to verify that the NHRP database is empty Brought the Crytpo tunnel interface (Tunnel0) up Re-issued the "sh ip nhrp" command NHRP-Server# sh ip nhrp <spoke-tunnel-ip-addr>/32 via <spoke-tunnel-ip-addr> Tunnel0 created 00:00:18 , expire 01:59:41 Type: dynamic, Flags: unique registered used NBMA address: <spoke-global-ip-addr> ...output trimmed for brevity. Note: We see Tunnel0 was just created , and due to expire in 2 hours . NHRP commands available on the Tunnel0 interface are as follows: NHRP-Server(config)# int t0 NHRP-Server(config-if)# ip nhrp ? authentication Authentication string cache NHRP Cache related commands. group NHRP group name holdtime Advertised holdtime interest Specify an access list map Map dest IP addresses to NBMA addresses max-send Rate limit NHRP traffic network-id NBMA network identifier nhs Specify a next hop server record Allow NHRP record option redirect Enable NHRP redirect traffic indication registration Settings for registration packets. responder Responder interface server-only Disable NHRP requests shortcut Enable shortcut switching trigger-svc Create NHRP cut-through based on traffic load use Specify usage count for sending requests What determines this 2 hour interval, and where can it be configured? Any thoughts or solutions would be welcome. Best Regards, Mike
... View more
Labels:
Created by
michael.leblanc
in VPN and AnyConnect
in VPN and AnyConnect
12-04-2012
12:35 PM
12-04-2012
12:35 PM
Trying to install a second certificate issued by the same Certificate Authority (CA). However, the new certificate replaces it's predecessor . Original Certificate Enrollment Config: crypto pki trustpoint ca.domain.null enrollment url http://ca.domain.null:80 usage ike ip-address none fingerprint <removed-for-forum-post> subject-name c=CA, st=State, l=City, o=Company, ou=old-1 , ou=old-2 , cn=router.domain.null revocation-check crl source interface Loopback0 rsakeypair router.domain.null 1024 auto-enroll 90 regenerate Amendments to Certificate Enrollment Config: crypto pki trustpoint ca.domain.null subject-name c=CA, st=State, l=City, o=Company, ou=new-1 , ou=new-2 , cn=vpn-1.router.domain.null , hostname=vpn-1.router.domain.null rsakeypair vpn-1.router.domain.null 1024 Note: Amended Organizational Unit (ou) fields. Note: Specified a different Common Name (prepended "vpn-1"). Note: Tried with and without "hostname=vpn-1.router.domain.null". Note: Specified a different RSA keypair. Enrollment for Second Certificate (same CA): router(config)#crypto pki enroll ca.domain.null % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will include: c=CA, st=State, l=City, o=Company, ou=new-1 , ou=new-2 , cn=vpn-1.router.domain.null, hostname=vpn-1.router.domain.null % The subject name in the certificate will include: router.domain.null % Include the router serial number in the subject name? [yes/no]: n Request certificate from CA? [yes/no]: y % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose ca.domain.null' command will show the fingerprint. Note: Statement above indicates "% The subject name in the certificate will include: router.domain.null". Note: The new certificate is created with the same name as the original certificate, and replaces it. New Certificate: router(config)#do sh crypto pki certificate Certificate Status: Available Certificate Serial Number (hex): 23 Certificate Usage: General Purpose Issuer: cn=ca.domain.null Subject: Name: router.domain.null hostname=router.domain.null c=CA st=State l=City o=Company ou= new-1 ou= new-2 cn=vpn-1.router.domain.null hostname= vpn-1.router.domain.null CRL Distribution Points: http://ca.domain.null/cgi-bin/pkiclient.exe?operation=GetCRL Validity Date: start date: 14:10:41 EST Dec 4 2012 end date: 04:24:14 EDT Jul 15 2013 renew date: 22:16:52 EDT Jun 22 2013 Associated Trustpoints: ca.domain.null Note: The following remain the same when the new certificate is created, despite the subject-name input provided: Subject: Name: router.domain.null hostname=router.domain.null The original certificate is overwritten with the new one, and is not to be found in the "sh crypto pki certificate" output. Any thoughts or solutions on how to successfully install a second certificate issued from the same CA would be welcome. Best Regards, Mike
... View more
Labels:
10-20-2010
02:08 PM
yjdabear: Thank you for the informative response. Best Regards, Mike
... View more
Created by
michael.leblanc
in VPN and AnyConnect
12-13-2012
12-13-2012
Marcin:Yes, the two Tunnel interfaces (T0, T1), are using the same
physical interface as the "tunnel...
Created by
michael.leblanc
in VPN and AnyConnect
12-13-2012
12-13-2012
Marcin:The debug statement "Peer matches *none* of the profiles" is
expected prior to processing of ...
Created by
michael.leblanc
in VPN and AnyConnect
12-12-2012
12-12-2012
Forum:The attachment titled "ISAKMP Debug - Spoke.pdf" contained a typo,
as acknowledged in the edit...
Created by
michael.leblanc
in VPN and AnyConnect
12-12-2012
12-12-2012
Forum:I have a group of routers participating in two parallel NHRP
Networks. One of the NHRP network...
Created by
michael.leblanc
in VPN and AnyConnect
12-12-2012
12-12-2012
Marcin:"You can have different trustpoints with same issuer certificate,
no need to use two differen...
Created by
michael.leblanc
in VPN and AnyConnect
12-07-2012
12-07-2012
Marcin:Thank you for the response, and feedback.Unfortunately, my last
reply at Dec 7, 2012 1:15 AM,...
Created by
michael.leblanc
in VPN and AnyConnect
12-06-2012
12-06-2012
As mentioned earlier in the post – “The dynamic entries in the caches of
the NHRP Spokes were behavi...
Created by
michael.leblanc
in VPN and AnyConnect
12-06-2012
12-06-2012
Gurpreet:Thank you for the response.I suspect the entries you are
referring to would be "static" ent...
Created by
michael.leblanc
in VPN and AnyConnect
12-06-2012
12-06-2012
Marcin:Our DMVPN spokes are NTP peers, so we expect the spoke-to-spoke
crypto tunnels to stay up, as...
Created by
michael.leblanc
in VPN and AnyConnect
12-05-2012
12-05-2012
Marcin:Noticed that a few of the DMVPN spokes are limited in terms of
options for the ISAKMP Profile...
Created by
michael.leblanc
in VPN and AnyConnect
12-05-2012
12-05-2012
Marcin:Thank you for your repsonse.I've reviewed our syslog files and
determined that it was only sp...
Created by
michael.leblanc
in VPN and AnyConnect
12-05-2012
12-05-2012
Marcin:Thank you for your repsonse.The existing CA is a repurposed Cisco
800 series router, residing...
Created by
michael.leblanc
in VPN and AnyConnect
12-04-2012
12-04-2012
The ISAKMP SA lifetime for one of our DMVPNs is set to ~ 24 hours in the
following ISAKMP policy:cry...
Created by
michael.leblanc
in VPN and AnyConnect
12-04-2012
12-04-2012
Trying to install a second certificate issued by the same Certificate
Authority (CA). However, the n...
Public Statistics
| Date Registered | 04-06-2005 09:02 AM |
| Date Last Visited | 08-18-2017 03:53 AM |
| Total Messages Posted | 373 |
| Total Helpful Votes Received | 166 |
Helpful Votes From
| User | Helpful Count |
|---|---|
| 5 | |
| 5 | |
| 8 | |
| 5 | |
| 5 |
.jpg "Hall of Fame Expert"){kind=icon}
