Marcin,

do you men CRL or certificate? there is no problem with certificate, because with this certificate without revocation check VPN connection estableshid, also with the another certificates there is same problem.

....#show debugging
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Crypto Key Management Interface debugging is on
PKI:
Crypto PKI Msg debugging is on
Crypto PKI Trans debugging is on
Crypto PKI callbacks debugging is on
verbose debug output debugging is on
Crypto PKI Certificate Server debugging is on
.....#deb
....#debug cr
....#debug crypto pk
....#debug crypto pki ?
API           PKI API
callbacks     PKI callbacks
messages      PKI Input/Output Messages
server        CA Server
transactions  PKI transactions

Hedyah,

Well whole certificate would be interesting but indeed I want to know what CDPs are specified and what the CA is. What software are you running on the 7600.

To see if we're making a request we could also try to debug TCP, but not if we're already connecting via telnet/ssh to get logs.

Marcin

Marcin,

IOS version: s72033-adventerprisek9_wan-mz.122-33.SRA7

Well I did a quick check for bugs, but I have to say I'd need more info... SRA is old on top

Can you show me the CDPs from certificates? Do they contain DNS names or only IP addresses?

Does SRA have "optional" under crl?

Marcin

Dear  Marcin,

I'm really appreciate for your attention. I'm sorry for hiding some information it's because of our security policies.

....#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 0095
Certificate Usage: General Purpose
Issuer:
    cn=......
    ou=......
    o=.....
    l=.....
    st=.....
    c=.....
Subject:
    Name: .......
    IP Address: .......
Serial Number: 0001AE14
    serialNumber=1AE14+ipaddress=.....+hostname=.......
    cn=.....
CRL Distribution Points:
http://10.3.71.1/crl.crl
Validity Date:
    start date: 08:40:01  May 3 2010
    end   date: 09:40:01  May 3 2011

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Not Set
Issuer:
    cn=...
    ou=...
    o=...
    l=...
    st=...
    c=...
Subject:
    cn=....
    ou=...
    o=....
    l=....
    st=....
    c=...
Validity Date:
    start date: 20:21:10  May 18 2008
    end   date: 20:21:10  May 23 2011

///////////////////////////////

R-7606-1(ca-trustpoint)#revocation-check crl ?
none  Ignore revocation check
ocsp  Revocation check by OCSP

//////////////////////////////////////////////

/////part of debugging output

CRYPTO_PKI: Retreive CRL using HTTP URI

CRYPTO_PKI: status = 0: poll CRL

CRYPTO_PKI: locked trustpoint ....., refcount is 1

CRYPTO_PKI: can not resolve server name/IP address

CRYPTO_PKI: Using unresolved IP Address 10.3.71.1

CRYPTO_PKI: http connection opened

CRYPTO_PKI: unlocked trustpoint ....., refcount is 0

CRYPTO_PKI: locked trustpoint ....., refcount is 1

CRYPTO_PKI: unlocked trustpoint ..., refcount is 0

CRYPTO_PKI: HTTP response header:

HTTP/1.1 200 OK

Content-Length: 1763

Content-Type: application/pkix-crl

Last-Modified: Tue, 12 Oct 2010 06:28:52 GMT

Accept-Ranges: bytes

ETag: "3c981bdd669cb1:1d2"

Server: Microsoft-IIS/6.0

Date: Mon, 18 Oct 2010 10:07:19 GMT

Connection: close

1441276: Oct 18 13:37:19.961 : CRYPTO_PKI: CRL data

     2D 2D 2D 2D 2D 42 45 47 49 4E 20 58 35 30 39 20

     43 52 4C 2D 2D 2D 2D 2D 0A 4D 49 49 45 37 6A 43

     ....

     ....

     57 31 62 42 6A 45 51 39 71 6B 71 0A 2D 2D 2D 2D

     2D 45 4E 44 20 58 35 30 39 20 43 52 4C 2D 2D 2D

E ../cert-c/source/crlobj.c(384) : Error #705h

CRYPTO_PKI: status = 1797: failed to set crl ber

CRYPTO_PKI: transaction Unknown completed

CRYPTO_PKI: Poll CRL callback

CRYPTO_PKI:  Blocking chain verification callback received status: 105

CRYPTO_PKI: Certificate not validated

%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 78.129.167.95 is bad: certificate invalid

ISAKMP:(68730):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(68730):Old State = IKE_R_MM5  New State = IKE_R_MM5

////

again i remind certificate is ok

thanks,

Hedyeh

Hedyeh,

Please decode that CRL. If you're sure cert is valid, we need to see what's inside that CRL.

We'd also need a decode of presented cert not our cert (yet).

Marcin