cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
860
Views
45
Helpful
17
Replies
benolyndav
Participant

VPN messages

Hi 

We have a Static VPN betwen 2 Routers and the tunnel is up and down, I consoled onto one of the routers and ran a debug crypto ipsec and saw this message.

 

*Sep  9 15:20:32.787: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to build certificate payload

 

 

i then issued the show crypto pki certificate verbose and noticed that one of the certs had expired.

 

Is this what cause the error message.???

17 REPLIES 17

@benolyndav the certificate would auto-renew if the router was configured to do so and the initial cert with enrolled via SCEP. If the certificate was enrolled using terminal (copy and paste), then no it would not auto renew.

Hi Rob

So we have the branch router configured has CA, so when we install new routers we just point to the Branch router before we take to site And request a cert, SCEP uses a serVER dosent it??

 

thanks

@benolyndav 

Do you mean a branch router is the CA, running SCEP?

 

The router requesting the certificate would have a trustpoint configured with "enrollment url http://x.x.x.x"  where x.x.x.x is the IP address of the router acting as the CA. Obviously the rotuers would need to be able to communicate between each other for the scep request to be sent/received.

 

This link might help you using SCEP

View solution in original post