Cisco 2800, 12.4(23b) router has two VPN tunnels to other Cisco devices.
Authentication uses certificates from a PKI CA server.
Under normal circumstances all works fine, both crypto sessions up.
After a power cycle (having first saved configs) however, the crypto sessions are stuck in DOWN-NEGOTIATING.
The certificate on the router still looks valid.
The only way to get the sessions back up is to renew the certificate, which seems strange as the existing one appeared to be still valid.
Any ideas what could cause these symptoms?
Check the RSA key prior and after reload. Is it still the same with the same name?
sh crypto key mypubkey rsa
Check name and Key data. They should remain identical.
You would need to debug that further
debug crypto isakmp
debug crypto pki tran
debug crypto pki mess
debug crypto pki api
debug crypto pki call
In order to find out why.
We have noticed that for a very short time after reload, before NTP corrects the time, that the router reports the year as 1934. The router cert would be invalid during this short period of course, but it doesn't seem to recover even after the time is set correctly.
Presumably a battery backed clock problem - router has been scheduled for replacement. I'll update later to say if the issue is resolved.