Solved: PKI Issue with APIC-EM 1.3 + IWAN

Hilario Martin · ‎10-28-2016

Hi,

after upgrading (reinstalling) from EM 1.2 version to 1.3 we have tried to deploy IWAN with 2 remote Sites and 2 Service Provider (DCs)

and have no problems deploying HUB site but we have an issue with TRANIST-HUB-1 with these error:

Router debug:

*Oct 27 13:08:25.251 GMT: CRYPTO_PKI: status = 0x747(E_EOS : end of i/o stream): Imported PKCS12 file failure

*Oct 27 13:08:25.251 GMT: %PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.

APIC-EM Audit:

Underlay and Overlay configuration in site TRANSIT-HUB-1 failed. PKI configuration failed for device 10.X.X.1

Failed to download PKCS12

We have tested this topology before with version 1.2 and was working as expected.

Any idea about it?

Thanks in advanced.

Hilario Martin · ‎10-28-2016

sorry, is resolved it was a routing EM issue.

Regards.

View solution in original post

Hilario Martin · ‎10-28-2016

sorry, is resolved it was a routing EM issue.

Regards.

cchitnis · ‎10-28-2016

So long as the correct configuration is pushed from apic-em-pki-broker service through apic-em-network-programmer on behalf of iWAN Manager (visibility-service), the actual download of PKCS12 certs would depend on routing and firewalling etc. between the actual device and APIC-EM controller.

Alex Pfeil · ‎08-17-2017

Can you be more specific on the fix? I am running into the same issue.

Thanks,

Alex

aradford · ‎08-18-2017

make sure you have reachability from APIC-EM via both underlay and overlay IP address ranges on the device.

Alex Pfeil · ‎08-31-2017

If the device is only accessible from a public IP, how can the underlay and overlay IP address ranges be reachable before the DMVPN tunnel is created?

Jatinder SIngh · ‎07-16-2018

Hello.. did you get an answer for this ?

i am also in same fix, please suggest

Jatinder SIngh · ‎07-16-2018

hello.. can you elaborate please, I am able to ping my remote site devices from APIC EM and vice versa.

I already provisioned 3 sites with same settings, no version change on APIC EM but started getting message like.

PKI configuration in site XXXX for device XXXX failed. trust-point create: enrollment failed

I am using APIC EM 1.6.0 version

immediate response would be appreciated as I am stuck in mid of deployments.

Diana Karolina Rojas · ‎08-01-2018

Hello!

Can you help me with this?, I have the same problem so I need to know how you resolved the problem, I will appreciate any help.

Thank you,

cchitnis · ‎08-01-2018

Jatinder, Diana,
I have not worked on APIC-EM iWAN App for more than a year now; however, as this thread suggests, the only problem I can see with this is routing not being set-up correctly. As Adam suggests above, make sure you have reachability from APIC-EM via both underlay and overlay IP address ranges on the device.

Diana Karolina Rojas · ‎08-01-2018

cchitnis Thanks for you reply,

The problem is, I have connectivity from APIC to the Branch my error is the next:

Underlay and overlay configuration in site xxx failed

PKI configuration failed for device Y.Y.Y.Y

Even the branch wan not configured with the lookback interface, the APIC was no able to push any kind of configuration into de branch.

Best Regards,

Stefan Honeder · ‎08-02-2018

You are probably running into https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk38328

...TAC can help you to fix this.