From: Ivan Ivanov (ivanov.ivan@gmail.com)
Date: Sat Feb 24 2007 - 05:59:43 ART
Hello,
Try with 'revocation-check none' or 'revocation-check crl none'. You
should put this in your trustpoint. In the link below you can see what
to use if you have IOS older than 12.3. And the reason that your
certificate is reject.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_r1h.htm#wp1175555
Hope this help!
On 2/24/07, Anthony Bonilla <anthonybonilla.ccie@gmail.com> wrote:
> Marvin,
>
> Thanks a lot for looking at the configs - I know I setup the time on these
> two devices together a day or two before but during troubleshooting never
> looked at the time and only kept making sure that the date/year are the
> same. I will have to match the time on these devices soon and get a new
> cert, once I have a chance to do that, I will send out an update with my
> results but I really appreciate your help with this.
>
> I wanted to repeat what a lot of other folks have already said - I have been
> a member of this group for only few days but have recently posted two
> questions and got my answers almost instantaneously. I appreciate
> everyone's help here who take time from their busy schedule to help others.
> Thanks again!
>
> Tony
>
>
> On 2/23/07, Marvin Greenlee <marvin@ipexpert.com> wrote:
> >
> > Is there a reason why the time on the two devices is so far apart? In
> > general, the devices are usually within a few minutes of each other.
> >
> >
> >
> > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > Senior Technical Instructor - IPexpert, Inc.
> > "When Will You Be an IP Expert?"
> > marvin@ipexpert.com
> > http://www.IPexpert.com <http://www.ipexpert.com/>
> > ------------------------------
> >
> > *From:* Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com]
> > *Sent:* Friday, February 23, 2007 6:14 PM
> > *To:* Marvin Greenlee
> > *Cc:* ccielab@groupstudy.com
> > *Subject:* Re: IPSec problem using CA server
> >
> >
> >
> > Marvin,
> >
> >
> >
> > Yes, I searched on this error and saw that most of the people were able to
> > resolve this issue fixing time on routers and the CA. Below is a
> > snapshot from my two routers showing the certificate validity times and
> > clock and I can't see anything wrong with it, may be one of you will find
> > something that I am overlooking:
> >
> >
> >
> > ************************************************************
> >
> > Rack1R1:
> >
> > Validity Date:
> >
> > start date: 00:00:00 UTC Feb 22 2007
> >
> > end date: 23:59:59 UTC Apr 23 2007
> >
> >
> >
> > Show clock ==> 06:08:29.861 UTC Fri Feb 23 2007
> >
> > ************************************************************
> > Validity Date:
> >
> > start date: 00:00:00 UTC Feb 22 2007
> >
> > end date: 23:59:59 UTC Apr 23 2007
> >
> >
> >
> > Show clock ==> 23:04:43.849 UTC Fri Feb 23 2007
> >
> > **************************************************************
> >
> >
> >
> > Thanks for your help.
> >
> >
> > On 2/23/07, *Marvin Greenlee* <marvin@ipexpert.com> wrote:
> >
> > "... %CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address]
> > is
> > bad: [chars]
> > Explanation The certificate given by the remote peer either has been
> > revoked or has expired (the certificate is invalid) or the signature check
> > on the certificate has failed (invalid signature).
> >
> > Recommended Action Contact the CA of the remote peer. The CA certificate
> > may be invalid. ..."
> >
> >
> > http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_system_messa
> > ge_guide_chapter09186a008009e75f.html
> >
> >
> >
> >
> > Have you checked the time set on your devices with respect to the CA
> > server?
> >
> > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> > Senior Technical Instructor - IPexpert, Inc.
> > "When Will You Be an IP Expert?"
> > marvin@ipexpert.com
> > http://www.IPexpert.com <http://www.ipexpert.com/>
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Anthony Bonilla
> > Sent: Friday, February 23, 2007 4:00 PM
> > To: ccielab@groupstudy.com
> > Subject: IPSec problem using CA server
> >
> > All,
> >
> > I am currently testing IPSec to work with a CA server. I have configured
> > two routers (connected via a LAN connection) and have retrieved
> > certificates
> > on both routers successfully but when I try to bring up the tunnel by
> > pinging one router from the other, I get the following message:
> >
> > %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad: CA
> > request failed
> >
> > Can someone pls let me know what could be a common cause - if I remove
> > crypto map from the interfaces, things start to work. BTW, I have
> > configured a tunnel interface using the physical LAN connection between
> > the
> > routers and have crypto map applied to both tunnel and lan interfaces.
> >
> > TIA
> >
> > Tony.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Best Regards!Ivan Ivanov
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART