From: Anthony Bonilla (anthonybonilla.ccie@gmail.com)
Date: Fri Feb 23 2007 - 20:14:28 ART
Marvin,
Yes, I searched on this error and saw that most of the people were able to
resolve this issue fixing time on routers and the CA. Below is a
snapshot from my two routers showing the certificate validity times and
clock and I can't see anything wrong with it, may be one of you will find
something that I am overlooking:
************************************************************
Rack1R1:
Validity Date:
start date: 00:00:00 UTC Feb 22 2007
end date: 23:59:59 UTC Apr 23 2007
Show clock ==> 06:08:29.861 UTC Fri Feb 23 2007
************************************************************
Validity Date:
start date: 00:00:00 UTC Feb 22 2007
end date: 23:59:59 UTC Apr 23 2007
Show clock ==> 23:04:43.849 UTC Fri Feb 23 2007
**************************************************************
Thanks for your help.
On 2/23/07, Marvin Greenlee <marvin@ipexpert.com> wrote:
>
> "... %CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address]
> is
> bad: [chars]
> Explanation The certificate given by the remote peer either has been
> revoked or has expired (the certificate is invalid) or the signature check
> on the certificate has failed (invalid signature).
>
> Recommended Action Contact the CA of the remote peer. The CA certificate
> may be invalid. ..."
>
>
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_system_messa
> ge_guide_chapter09186a008009e75f.html
>
>
>
>
> Have you checked the time set on your devices with respect to the CA
> server?
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> Senior Technical Instructor - IPexpert, Inc.
> "When Will You Be an IP Expert?"
> marvin@ipexpert.com
> http://www.IPexpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Anthony Bonilla
> Sent: Friday, February 23, 2007 4:00 PM
> To: ccielab@groupstudy.com
> Subject: IPSec problem using CA server
>
> All,
>
> I am currently testing IPSec to work with a CA server. I have configured
> two routers (connected via a LAN connection) and have retrieved
> certificates
> on both routers successfully but when I try to bring up the tunnel by
> pinging one router from the other, I get the following message:
>
> %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad: CA
> request failed
>
> Can someone pls let me know what could be a common cause - if I remove
> crypto map from the interfaces, things start to work. BTW, I have
> configured a tunnel interface using the physical LAN connection between
> the
> routers and have crypto map applied to both tunnel and lan interfaces.
>
> TIA
>
> Tony.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART