I removed the vrf. I get this now:

.Dec 20 07:55:59.631: ISAKMP:(2015): using the my_ca trustpoint's keypair to sign
.Dec 20 07:55:59.631: ISAKMP:(2015): keypair not found

and

%PKI-4-CRL_LDAP_QUERY: An attempt to retrieve the CRL using LDAP has failed
.Dec 20 07:48:50.662: %PKI-3-SOCKETSELECT: Failed to select the socket.

and

.Dec 20 08:34:59.341: CRYPTO_PKI: locked trustpoint my_ca, refcount is 2
.Dec 20 08:34:59.341: CRYPTO_PKI: can not resolve server name/IP address
.Dec 20 08:34:59.341: CRYPTO_PKI: Using unresolved IP Address 1.1.1.28
.Dec 20 08:34:59.345: CRYPTO_PKI: http connection opened
.Dec 20 08:34:59.345: CRYPTO_PKI: Sending HTTP message

.Dec 20 08:34:59.345: CRYPTO_PKI: Reply HTTP
header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 1.1.1.28

CRYPTO_PKI: Bypassing SCEP capabilies request 40000000
.Dec 20 08:34:59.349: CRYPTO_PKI: locked trustpoint my_ca, refcount is 1
.Dec 20 08:35:04.345: %PKI-3-SOCKETSELECT: Failed to select the socket.

Also still broadcasting the NS lookup for the CRL check...

Hi everybody.

I have the same problem but I don't have vrf.

Someone who has found the solution to this problem?

The devices I use are:

1712

871

Both with IOS version 124-15.T14

I'll try removing the vrf under the trustpoint, but the reason I put the vrf there in the first place, was that I had difficulties enrolling the routers. Could be that the router didn't like my previous enrollment url that had a hostname in it. Had to change that to an ip address. Even tried with a static ip host mapping of it.

But, I'll give it a go with removing the vrf. Report back as soon as I've testet it.

Thank you for the suggestion.

Best regards,

/JZN

Well your first issue might be coz of this defect.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw87991

I tried with static host -> ip mappings, but that didn't work either.

Please have a look at my attachment for one of the DMVPNoGETVPN Hub routers config.

Thank you.

OK, so I found a couple of 1812 with c181x-advipservicesk9-mz.124-24.T4.bin

hostname myhost
ip domain name vrf my_vrf my.dom
ip domain name my.dom
ip name-server vrf my_vrf 10.145.80.11
ip domain-lookup

!

crypto pki trustpoint my_ca
enrollment mode ra
enrollment url http://myca.my.dom:80/certsrv/mscep/mscep.dll
serial-number
vrf my_vrf
revocation-check none

myhost(config)#crypto pki authenticate my_ca
Translating "myca.my.dom"...domain server (255.255.255.255)

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

myhost#ping vrf my_vrf myca.my.dom

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Any explanation?

Thanks,

/JZN

try putting this in:

ip host vrf my_vrf myca.my.dom 10.1.1.2

And then re-run the authenticate command. 

I did this:

ip domain-lookup source-int lo1 (which is in the vrf)

ip host myca.my.dom 10.1.1.2

This worked (as described in the bug report), but it defeats the whole idea of relying on DNS to resolve the hostname.

This isn't the only issues I have with VRF and domain lookups. Try to do DDNS on a VRF'ed interface, and see if you can do that?

I'd be more than glad for see that config.

Thanks for the input.

BR,

/JZ

I'm still seeing this issue. Running 12.4(24)T6 now.

I'm about to roll out a lot of sites with DMVPN and want to use SCEP for enrollment. How do I make authenticating a trustpoint and obtaining a certificate possible in a VRF ?

Thank you.

Best regards,

/JZ