From: Marvin Greenlee (marvin@ipexpert.com)
Date: Fri Feb 23 2007 - 20:43:39 ART
Is there a reason why the time on the two devices is so far apart? In
general, the devices are usually within a few minutes of each other.
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
marvin@ipexpert.com
http://www.IPexpert.com
_____
From: Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com]
Sent: Friday, February 23, 2007 6:14 PM
To: Marvin Greenlee
Cc: ccielab@groupstudy.com
Subject: Re: IPSec problem using CA server
Marvin,
Yes, I searched on this error and saw that most of the people were able to
resolve this issue fixing time on routers and the CA. Below is a snapshot
from my two routers showing the certificate validity times and clock and I
can't see anything wrong with it, may be one of you will find something that
I am overlooking:
************************************************************
Rack1R1:
Validity Date:
start date: 00:00:00 UTC Feb 22 2007
end date: 23:59:59 UTC Apr 23 2007
Show clock ==> 06:08:29.861 UTC Fri Feb 23 2007
************************************************************
Validity Date:
start date: 00:00:00 UTC Feb 22 2007
end date: 23:59:59 UTC Apr 23 2007
Show clock ==> 23:04:43.849 UTC Fri Feb 23 2007
**************************************************************
Thanks for your help.
On 2/23/07, Marvin Greenlee <marvin@ipexpert.com> wrote:
"... %CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is
bad: [chars]
Explanation The certificate given by the remote peer either has been
revoked or has expired (the certificate is invalid) or the signature check
on the certificate has failed (invalid signature).
Recommended Action Contact the CA of the remote peer. The CA certificate
may be invalid. ..."
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_system_messa
ge_guide_chapter09186a008009e75f.html
Have you checked the time set on your devices with respect to the CA server?
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
marvin@ipexpert.com
http://www.IPexpert.com
-----Original Message-----
From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com] On Behalf Of
Anthony Bonilla
Sent: Friday, February 23, 2007 4:00 PM
To: ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
Subject: IPSec problem using CA server
All,
I am currently testing IPSec to work with a CA server. I have configured
two routers (connected via a LAN connection) and have retrieved certificates
on both routers successfully but when I try to bring up the tunnel by
pinging one router from the other, I get the following message:
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad: CA
request failed
Can someone pls let me know what could be a common cause - if I remove
crypto map from the interfaces, things start to work. BTW, I have
configured a tunnel interface using the physical LAN connection between the
routers and have crypto map applied to both tunnel and lan interfaces.
TIA
Tony.
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART