12-16-2010 04:10 AM
Deploying a VPN with PKI and crl check fails:
ip domain name vrf my_vrf mydom.local
ip domain name mydom.local
ip name-server vrf my_vrf 10.15.15.15
crypto pki trustpoint my_ca
enrollment mode ra
enrollment url http://1.1.1.28:80/certsrv/mscep/mscep.dll
serial-number
vrf my_vrf
revocation-check crl
Dec 16 12:08:53.133: %CRYPTO-5-GM_REGSTER: Start registration to KS 80.162.153.21 for group getvpn using address 80.162.153.1
Translating "crl.server.tld"...domain server (255.255.255.255)
Translating "crl2.server.tld"...domain server (255.255.255.255)
Dec 16 12:08:54.629: %CRYPTO-4-IKMP_NO_SA: IKE message from 80.162.153.21 has no SA and is not an initialization offer
Dec 16 12:08:55.061: %PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL using LDAP has failed
Any ideas ?
12-16-2010 07:47 AM
Could you try removing the vrf from the trust-point and then validating the cert?
12-19-2010 11:58 PM
I removed the vrf. I get this now:
.Dec 20 07:55:59.631: ISAKMP:(2015): using the my_ca trustpoint's keypair to sign
.Dec 20 07:55:59.631: ISAKMP:(2015): keypair not found
and
%PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL using LDAP has failed
.Dec 20 07:48:50.662: %PKI-3-SOCKETSELECT: Failed to select the socket.
and
.Dec 20 08:34:59.341: CRYPTO_PKI: locked trustpoint my_ca, refcount is 2
.Dec 20 08:34:59.341: CRYPTO_PKI: can not resolve server name/IP address
.Dec 20 08:34:59.341: CRYPTO_PKI: Using unresolved IP Address 1.1.1.28
.Dec 20 08:34:59.345: CRYPTO_PKI: http connection opened
.Dec 20 08:34:59.345: CRYPTO_PKI: Sending HTTP message
.Dec 20 08:34:59.345: CRYPTO_PKI: Reply HTTP
header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 1.1.1.28
CRYPTO_PKI: Bypassing SCEP capabilies request 40000000
.Dec 20 08:34:59.349: CRYPTO_PKI: locked trustpoint my_ca, refcount is 1
.Dec 20 08:35:04.345: %PKI-3-SOCKETSELECT: Failed to select the socket.
12-20-2010 12:02 AM
Also still broadcasting the NS lookup for the CRL check...
12-30-2014 07:44 AM
Hi everybody.
I have the same problem but I don't have vrf.
Someone who has found the solution to this problem?
12-16-2010 07:50 AM
And what platform and image is the device running?
12-16-2010 10:09 AM
The devices I use are:
1712
871
Both with IOS version 124-15.T14
I'll try removing the vrf under the trustpoint, but the reason I put the vrf there in the first place, was that I had difficulties enrolling the routers. Could be that the router didn't like my previous enrollment url that had a hostname in it. Had to change that to an ip address. Even tried with a static ip host mapping of it.
But, I'll give it a go with removing the vrf. Report back as soon as I've testet it.
Thank you for the suggestion.
Best regards,
/JZN
12-16-2010 10:20 AM
Well your first issue might be coz of this defect.
12-20-2010 12:15 AM
I tried with static host -> ip mappings, but that didn't work either.
Please have a look at my attachment for one of the DMVPNoGETVPN Hub routers config.
Thank you.
01-24-2011 01:41 AM
OK, so I found a couple of 1812 with c181x-advipservicesk9-mz.124-24.T4.bin
hostname myhost
ip domain name vrf my_vrf my.dom
ip domain name my.dom
ip name-server vrf my_vrf 10.145.80.11
ip domain-lookup
!
crypto pki trustpoint my_ca
enrollment mode ra
enrollment url http://myca.my.dom:80/certsrv/mscep/mscep.dll
serial-number
vrf my_vrf
revocation-check none
myhost(config)#crypto pki authenticate my_ca
Translating "myca.my.dom"...domain server (255.255.255.255)
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
myhost#ping vrf my_vrf myca.my.dom
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Any explanation?
Thanks,
/JZN
03-02-2012 08:29 AM
try putting this in:
ip host vrf my_vrf myca.my.dom 10.1.1.2
And then re-run the authenticate command.
03-03-2012 04:14 AM
I did this:
ip domain-lookup source-int lo1 (which is in the vrf)
ip host myca.my.dom 10.1.1.2
This worked (as described in the bug report), but it defeats the whole idea of relying on DNS to resolve the hostname.
This isn't the only issues I have with VRF and domain lookups. Try to do DDNS on a VRF'ed interface, and see if you can do that?
I'd be more than glad for see that config.
Thanks for the input.
BR,
/JZ
03-02-2012 03:54 AM
I'm still seeing this issue. Running 12.4(24)T6 now.
I'm about to roll out a lot of sites with DMVPN and want to use SCEP for enrollment. How do I make authenticating a trustpoint and obtaining a certificate possible in a VRF ?
Thank you.
Best regards,
/JZ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide