Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
872
Views
10
Helpful
6
Replies

ipsec error (to get local certificate and keypair from cache)

Go to solution
MrBeginner
Spotlight
Spotlight

‎10-28-2020 09:45 AM

hi,

i have on hub -  spoke ipsec tunnel.it is stable about 1 year.But suddenly one  is down.the other tunnel are no issue.There is no changed in configuration also.

when i debug the error,i got bellow message.

Error: to get local certificate and keypair from cache.

Error: Failed to get the certificate and key by certificate request.

i already check cert and ca is not expired yet.i upgrade the firmware but cannot solved.Last time before one year i got this issue and i recreate the cert and installed.After that issue is fixed.But i don't know the root cause.let me know how to trouble

shoot?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎10-29-2020 10:04 AM

Using NTP and having the time/date synched up on all the involved devices is essential, however, setting the time/date manually can also be a last resort option. Interesting that even after you synched up the time the tunnel did not come up. Because of this, I don't believe the issue was related to that skew in this case. To be able to dig deeper into this, I would need some debugs while you were trying to enable the tunnel to try to spot any potential root cause, but I think now it is too late as you regenerated the new certs and the tunnel is up.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-28-2020 10:16 AM

we need more information cert and config to look.

 

or here some steps to diagnosis.

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-28-2020 10:59 AM - edited ‎10-28-2020 11:00 AM

How the time/date look like on the devices?

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Aref Alsouqi

‎10-28-2020 04:34 PM

hi,

date time is same.

 

0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight

‎10-29-2020 12:14 AM

Hi @balaji.bandi @Aref Alsouqi ,

Sorry my fault. time is different. different 30 minute with router time. But i change manually the time to same like hub router, tunnel is still down. So i create new cert and installed.I point cert map to new cert. After that tunnel is up.

After the tunnel is up . I check the ntp server .The npt server is not working both of hub and spoke. I already fixed ntp service also.

So let me know my issue may related with ntp issue ?

if it is yes,let me know how to related ? if it is ntp issue ,can i fix manually change the time ?

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-29-2020 10:04 AM

Using NTP and having the time/date synched up on all the involved devices is essential, however, setting the time/date manually can also be a last resort option. Interesting that even after you synched up the time the tunnel did not come up. Because of this, I don't believe the issue was related to that skew in this case. To be able to dig deeper into this, I would need some debugs while you were trying to enable the tunnel to try to spot any potential root cause, but I think now it is too late as you regenerated the new certs and the tunnel is up.

Customers Also Viewed These Support Documents