Badar, What Brandon is referring to is the CDP url under the IOS pki server config:
*cdp-url* http://*x.x.x.x*/cgi-bin/pkiclient.exe?operation=GetCRL<http://x.x.x.x/cgi-bin/pkiclient.exe?operation=GetCRL> Where x.x.x.x is the CA server IP per you enrollment url/ Remember this URL needs to be manually typed due to the '?'. Stu On Sat, Mar 6, 2010 at 7:00 AM, Badar Farooq <[email protected]> wrote: > Hi All > My IOS is 12.4(15)T9, so I should not have an issue right? > Also Brandon, what do you mean by "Also check the URL on the PKi server and > make sure it has the "?" Mark in the URL. "? > > My enrollment URL was http://x.x.x.x/cgi-bin/pkiclient.exe, where x.x.x.x > is the IP of the CA server router. Is it wrong? > I am testing it on a single one router dynamips topology. and I will try > again with cdp url configured and database level complete but I need a > confirmation that everything else I am doing is correct. > > Can somebody just detail the step by step process. I will be really > grateful. > > Regards > > > > > > On Sat, Mar 6, 2010 at 7:28 AM, Brandon Carroll <[email protected]>wrote: > >> Kings, >> >> I’ve had the same issue in testing and upgrading to the T2 code solved it. >> With me, the enrollment was successful but the tunnel failed because of the >> way the client was verifying the cert. Another thing that I’ve seen make it >> work is setting the database level to complete on the PKI server. I’m not >> sure why there was a difference though. I need to test it again. >> >> Anyhow, if you are still seeing this issue what code are you running on >> the PKI server and what URL are you using to enroll the client? Do you have >> the cdp-url configured? What is that URL? >> >> -- >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com. >> >> >> ------------------------------ >> *From: *Kingsley Charles <[email protected]> >> *Date: *Sat, 6 Mar 2010 09:38:54 +0530 >> *To: *Tyson Scott <[email protected]> >> *Cc: *<[email protected]>, Simon Baumann <[email protected]>, >> <[email protected]> >> >> *Subject: *Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling >> VPN-Client). >> >> >> For the past two, I am also facing the issue on my local test bed. In the >> client logs, it says something like the header is empty. >> >> It seems the server is not responding but at the same I am able to enroll >> the routers to the CA. >> >> There is some kind of bug. >> >> Why can't we do this directly using Windows? >> >> >> Open the MMC and Add a snap shot for the certification. Select Personal >> and right > All Tasks > Request New Certificate. >> >> But I have not able to go through, as it says I don't have admin rights or >> cannot contact active directory >> >> >> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmreqcerts.mspx?mfr=true >> >> >> After getting the cert on the windows certificate personal folder, you can >> see that in the client. >> >> >> If anyone suceeds, please let me know. >> >> >> With regards >> Kings >> >> >> >> >> With regards >> Kings >> >> >> >> On Sat, Mar 6, 2010 at 4:25 AM, Tyson Scott <[email protected]> wrote: >> >> Team, >> >> Our support team is in the middle of upgrading all our racks to get past >> this problem. I believe it to be a problem with the 12.4(24)T1 code. >> 12.4(15)T9 should also be in the flash of all the routers and if you use >> that it will work fine. I hope to have all the racks upgraded very soon. >> >> Regards, >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> Technical Instructor - IPexpert, Inc. >> Mailto: [email protected] <mailto:[email protected]><[email protected]> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> <http://www.ipexpert.com/chat> <http://www.ipexpert.com/chat> >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities >> <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> >> and our public website at >> www.ipexpert.com <http://www.ipexpert.com/> <http://www.ipexpert.com/> >> >> >> *From:* [email protected] [ >> mailto:[email protected]]<[email protected]]> >> *On Behalf Of *Badar Farooq >> *Sent:* Friday, March 05, 2010 4:31 PM >> *To:* Simon Baumann >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling >> VPN-Client). >> >> >> >> I am also struggling with this error. >> I have checked my configuration and its otherwise sound. >> Same CA successfully issues certificates to other routers. By I cant >> enroll my VPN Client. >> I am using http://x.x.x.x/cgi-bin/pkiclient.exe as CA url in the vpn >> client config and i keep getting error 42. >> Any help will be appreciated >> >> Regards >> >> On Wed, Jan 6, 2010 at 5:48 PM, Simon Baumann <[email protected]> >> wrote: >> Hi, >> I got a question about task 4.6 of Lab 4. The task requires that the VPN >> Client has to enroll with R2 to obtain idendity certificate. I get "Error >> 42" on the VPN Client. >> If I got everything right, R2 doesn't have to seem and route back to the >> XP WS. So the XP WS will never be able the enroll until I set an route on R2 >> to reach the XP WS. >> Is that correct? TIA. >> >> Cheers >> Simon >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com/><http://www.ipexpert.com/> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com/><http://www.ipexpert.com/> >> >> >> >> ------------------------------ >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
