From: Marvin Greenlee (marvin@ipexpert.com)
Date: Fri Feb 23 2007 - 19:43:10 ART
"... %CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is
bad: [chars]
Explanation The certificate given by the remote peer either has been
revoked or has expired (the certificate is invalid) or the signature check
on the certificate has failed (invalid signature).
Recommended Action Contact the CA of the remote peer. The CA certificate
may be invalid. ..."
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_system_messa
ge_guide_chapter09186a008009e75f.html
Have you checked the time set on your devices with respect to the CA server?
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
marvin@ipexpert.com
http://www.IPexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Anthony Bonilla
Sent: Friday, February 23, 2007 4:00 PM
To: ccielab@groupstudy.com
Subject: IPSec problem using CA server
All,
I am currently testing IPSec to work with a CA server. I have configured
two routers (connected via a LAN connection) and have retrieved certificates
on both routers successfully but when I try to bring up the tunnel by
pinging one router from the other, I get the following message:
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad: CA
request failed
Can someone pls let me know what could be a common cause - if I remove
crypto map from the interfaces, things start to work. BTW, I have
configured a tunnel interface using the physical LAN connection between the
routers and have crypto map applied to both tunnel and lan interfaces.
TIA
Tony.
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART