PKI connection generating HASH error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2020 12:49 PM
We are in the midst of a large deployment of an MPLS network, and a phase that will be starting soon is the connection of remote sites via IPSEC tunnels, using PKI encryption. This was working in our lab a few months ago, but some of the certificates expired. We are using an IOS router as the CA in the lab. The CA is a device; 'gahlab-tt1', the remote is 'cgr1' and the tunnel head end is 'ftw-tt1'. The tunnel is between cgr1 and ftw-tt1. I began to work with the certificates, getting new ones issued, but am stymied by the error message shown below:
Dec 30 15:36:16.905: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
Any suggestions as to where to look for the source of this error would help a ton!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2020 01:30 PM
There are two cert.
there is ca cert. and user cert.
i think your ca cert. expired also so re auth ca cert. and try again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2020 06:32 PM
I am not sure how you are rolling out your certs, but if you have large
deployment then you should use scep enrollment to avoid errors in
certificate structure. Also, you need to make sure that the right
trustpoint is assigned to the right tunnel.
***** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-01-2021 11:53 AM
I ended up removing certificates from config and deleting files in nvram. Generated a new key fir the trust point. And then requesting new certificates. All is well.
