Sorry also provide output from debug crypto isakmp if poss? 2009/7/8 Stuart Hare <[email protected]>
> Ive not come across this before, normally fairly straightforward, have you > manually configured the subject name on the ASA? > > Can you post some configurations? > > Stu > > 2009/7/8 Shawn H. Mesiatowsky <[email protected]> > >> I am trying to setup a L2L vpn between an ASA and router using digital >> certificates. I am using another router for as a CA. When isakmp tries to >> establish an SA, I see the following in a debug on the ASA: >> >> >> >> Jul 05 2009 21:49:28: %PIX-7-713906: Group = R3.digitalcortex.local, IP = >> 172.16.123.2, Unable to compare IKE ID against peer cert Subject Alt Name >> >> >> >> I copied the certs from the ca router and compared the two certificates in >> windows. I saw the ASA cert contains an extra attribute: >> >> Subject Alt Name: >> >> DNS Name=ASA1.digitalcortex.local >> >> >> >> But the router cert does not contain this attribute. >> >> It seems the isakmp sa is failing because the router cert does not contain >> this attribute. Any idea how to make the router request this attribute in >> it’s cert, or how to tell the asa to stop looking for this attribute? Thanks >> for your help >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > _________________________ > > Stuart Hare > [email protected] > _________________________ > > -- _________________________ Stuart Hare [email protected] _________________________
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
