Re: CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH

mguzman4158 · ‎01-30-2009

Hello all,

I've been dealing with an issue and I'm getting two different answers from Cisco tac, so I decided to post it here and see if anyone can help me. I have a 7206VXR (NPE-G2) with Version 12.4(11)T3, this router was crashing once in a while, then tac recommended to upgraded to 12.4-20.T1, which I did and then all my DMVPN tunnels were bouncing.

My question is that I noticed something in the error logs

%CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of rthost1.corp.mydomain.com (type 2) and certificate fqdn with rthost1xx.corp.mydomain.com

Noticed that the router host name has changed since the first time the crypto certificate was created. The host name was changed manually for whatever reason. When the 7206 is in 12.4(11)T3 version I don't see any fqdn certificate errors, but as soon as I upgraded to the 12.4-20.T1 version I see them and tunnels bounced. Question: Does it matter that the host name of the router has changed and it doesn't match what's under the crypto config? After the tunnels were working fine for a while? One Cisco eng says it doesn't, the other one says it does. What do you guys think?

This is a spoke site:

Router host name: rthost1

crypto pki trustpoint corp.mydomain.com

enrollment retry count 5

enrollment retry period 3

enrollment url http://X.X.X.X:80

serial-number none

fqdn rthost1xx.corp.mydomain.com

ip-address none

password

fingerprint XXXXXXXXXXXXXXXXXX

subject-name l=NC,c=US

revocation-check none

auto-enroll 70

didyap · ‎02-05-2009

ISAKMP entities assume an identity to inform the peer of their characteristics. The claimed identity did not match the information retrieved from the FQDN of the certificate of the peer.

Cole · ‎05-01-2018

I have invalidated a certificate by changing the hostname of a Cisco 891 with the CA being a Microsoft CA.