Re: IPSec problem using CA server

From: Anthony Bonilla (anthonybonilla.ccie@gmail.com)
Date: Fri Feb 23 2007 - 21:36:08 ART

• Next message: Richard Dumoulin: "RE : IPSec problem using CA server"
• Previous message: Digital Yemeni: "RE: CCIE Certification Question of the Week - FEB2307"
• Maybe in reply to: Anthony Bonilla: "IPSec problem using CA server"
• Next in thread: Ivan Ivanov: "Re: IPSec problem using CA server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Marvin,

Thanks a lot for looking at the configs - I know I setup the time on these
two devices together a day or two before but during troubleshooting never
looked at the time and only kept making sure that the date/year are the
same. I will have to match the time on these devices soon and get a new
cert, once I have a chance to do that, I will send out an update with my
results but I really appreciate your help with this.

I wanted to repeat what a lot of other folks have already said - I have been
a member of this group for only few days but have recently posted two
questions and got my answers almost instantaneously. I appreciate
everyone's help here who take time from their busy schedule to help others.
Thanks again!

Tony

On 2/23/07, Marvin Greenlee <marvin@ipexpert.com> wrote:
>
> Is there a reason why the time on the two devices is so far apart? In
> general, the devices are usually within a few minutes of each other.
>
>
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> Senior Technical Instructor - IPexpert, Inc.
> "When Will You Be an IP Expert?"
> marvin@ipexpert.com
> http://www.IPexpert.com <http://www.ipexpert.com/>
> ------------------------------
>
> *From:* Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com]
> *Sent:* Friday, February 23, 2007 6:14 PM
> *To:* Marvin Greenlee
> *Cc:* ccielab@groupstudy.com
> *Subject:* Re: IPSec problem using CA server
>
>
>
> Marvin,
>
>
>
> Yes, I searched on this error and saw that most of the people were able to
> resolve this issue fixing time on routers and the CA. Below is a
> snapshot from my two routers showing the certificate validity times and
> clock and I can't see anything wrong with it, may be one of you will find
> something that I am overlooking:
>
>
>
> ************************************************************
>
> Rack1R1:
>
> Validity Date:
>
> start date: 00:00:00 UTC Feb 22 2007
>
> end date: 23:59:59 UTC Apr 23 2007
>
>
>
> Show clock ==> 06:08:29.861 UTC Fri Feb 23 2007
>
> ************************************************************
> Validity Date:
>
> start date: 00:00:00 UTC Feb 22 2007
>
> end date: 23:59:59 UTC Apr 23 2007
>
>
>
> Show clock ==> 23:04:43.849 UTC Fri Feb 23 2007
>
> **************************************************************
>
>
>
> Thanks for your help.
>
>
> On 2/23/07, *Marvin Greenlee* <marvin@ipexpert.com> wrote:
>
> "... %CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address]
> is
> bad: [chars]
> Explanation The certificate given by the remote peer either has been
> revoked or has expired (the certificate is invalid) or the signature check
> on the certificate has failed (invalid signature).
>
> Recommended Action Contact the CA of the remote peer. The CA certificate
> may be invalid. ..."
>
>
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_system_messa
> ge_guide_chapter09186a008009e75f.html
>
>
>
>
> Have you checked the time set on your devices with respect to the CA
> server?
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> Senior Technical Instructor - IPexpert, Inc.
> "When Will You Be an IP Expert?"
> marvin@ipexpert.com
> http://www.IPexpert.com <http://www.ipexpert.com/>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Anthony Bonilla
> Sent: Friday, February 23, 2007 4:00 PM
> To: ccielab@groupstudy.com
> Subject: IPSec problem using CA server
>
> All,
>
> I am currently testing IPSec to work with a CA server. I have configured
> two routers (connected via a LAN connection) and have retrieved
> certificates
> on both routers successfully but when I try to bring up the tunnel by
> pinging one router from the other, I get the following message:
>
> %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad: CA
> request failed
>
> Can someone pls let me know what could be a common cause - if I remove
> crypto map from the interfaces, things start to work. BTW, I have
> configured a tunnel interface using the physical LAN connection between
> the
> routers and have crypto map applied to both tunnel and lan interfaces.
>
> TIA
>
> Tony.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Richard Dumoulin: "RE : IPSec problem using CA server"
• Previous message: Digital Yemeni: "RE: CCIE Certification Question of the Week - FEB2307"
• Maybe in reply to: Anthony Bonilla: "IPSec problem using CA server"
• Next in thread: Ivan Ivanov: "Re: IPSec problem using CA server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART