A big fat thanks to all of you. With the following config for the CA crypto pki server IOS-CA database level complete issuer-name cn=R2.cisco.com ou=CA-auth l=us grant auto cdp-url http://150.1.12.2/cgi-bin/pkiclient.exe?operation=GetCRL
I was able to obtain the certificate on the vpn client. I went further and tested per user pki authorization and tunnel came up fine and everything worked great. This list is a life saver.. Once again, thank you, specially Brandon, Kingsley, Tyson and Simon :) Regards On Sat, Mar 6, 2010 at 10:51 AM, Brandon Carroll <[email protected]>wrote: > Your code should be fine. When I said enrollment url I should have said > cdp url on the CA server. That has affected clients obtaining certs for me > in the past. > > Crypto pki server XXXX > Cdp-url http://X.X.X.X/cgi-bin/pkiclient.exe?operation=GetCRL > > > > -- > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > > ------------------------------ > *From: *Badar Farooq <[email protected]> > *Date: *Sat, 6 Mar 2010 10:00:35 +0300 > *To: *Brandon Carroll <[email protected]> > *Cc: *Kingsley Charles <[email protected]>, Tyson Scott < > [email protected]>, Simon Baumann <[email protected]>, < > [email protected]> > > *Subject: *Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling > VPN-Client). > > Hi All > My IOS is 12.4(15)T9, so I should not have an issue right? > Also Brandon, what do you mean by "Also check the URL on the PKi server and > make sure it has the "?" Mark in the URL. "? > > My enrollment URL was http://x.x.x.x/cgi-bin/pkiclient.exe, where x.x.x.x > is the IP of the CA server router. Is it wrong? > I am testing it on a single one router dynamips topology. and I will try > again with cdp url configured and database level complete but I need a > confirmation that everything else I am doing is correct. > > Can somebody just detail the step by step process. I will be really > grateful. > > Regards > > > > > On Sat, Mar 6, 2010 at 7:28 AM, Brandon Carroll <[email protected]> > wrote: > > Kings, > > I’ve had the same issue in testing and upgrading to the T2 code solved it. > With me, the enrollment was successful but the tunnel failed because of the > way the client was verifying the cert. Another thing that I’ve seen make it > work is setting the database level to complete on the PKI server. I’m not > sure why there was a difference though. I need to test it again. > > Anyhow, if you are still seeing this issue what code are you running on the > PKI server and what URL are you using to enroll the client? Do you have the > cdp-url configured? What is that URL? > > -- > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > <http://www.ipexpert.com/chat> <http://www.ipexpert.com/chat> > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities > <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> > and our public website at > www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com> . > > > ------------------------------ > *From: *Kingsley Charles <[email protected]> > *Date: *Sat, 6 Mar 2010 09:38:54 +0530 > *To: *Tyson Scott <[email protected]> > *Cc: *<[email protected]>, Simon Baumann <[email protected]>, > <[email protected]> > > *Subject: *Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling > VPN-Client). > > > For the past two, I am also facing the issue on my local test bed. In the > client logs, it says something like the header is empty. > > It seems the server is not responding but at the same I am able to enroll > the routers to the CA. > > There is some kind of bug. > > Why can't we do this directly using Windows? > > > Open the MMC and Add a snap shot for the certification. Select Personal and > right > All Tasks > Request New Certificate. > > But I have not able to go through, as it says I don't have admin rights or > cannot contact active directory > > > http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmreqcerts.mspx?mfr=true > > > After getting the cert on the windows certificate personal folder, you can > see that in the client. > > > If anyone suceeds, please let me know. > > > With regards > Kings > > > > > With regards > Kings > > > > On Sat, Mar 6, 2010 at 4:25 AM, Tyson Scott <[email protected]> wrote: > > Team, > > Our support team is in the middle of upgrading all our racks to get past > this problem. I believe it to be a problem with the 12.4(24)T1 code. > 12.4(15)T9 should also be in the flash of all the routers and if you use > that it will work fine. I hope to have all the racks upgraded very soon. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Technical Instructor - IPexpert, Inc. > Mailto: > [email protected] <mailto:[email protected]> <[email protected]> > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > <http://www.ipexpert.com/chat> <http://www.ipexpert.com/chat> > <http://www.ipexpert.com/chat> <http://www.ipexpert.com/chat> > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities > <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> > <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> > and our public website at > www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com> > <http://www.ipexpert.com/> <http://www.ipexpert.com/> > > > *From:* [email protected] [ > mailto:[email protected]]<[email protected]]> > *On Behalf Of *Badar Farooq > *Sent:* Friday, March 05, 2010 4:31 PM > *To:* Simon Baumann > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling > VPN-Client). > > > > I am also struggling with this error. > I have checked my configuration and its otherwise sound. > Same CA successfully issues certificates to other routers. By I cant enroll > my VPN Client. > I am using http://x.x.x.x/cgi-bin/pkiclient.exe as CA url in the vpn > client config and i keep getting error 42. > Any help will be appreciated > > Regards > > On Wed, Jan 6, 2010 at 5:48 PM, Simon Baumann <[email protected]> > wrote: > Hi, > I got a question about task 4.6 of Lab 4. The task requires that the VPN > Client has to enroll with R2 to obtain idendity certificate. I get "Error > 42" on the VPN Client. > If I got everything right, R2 doesn't have to seem and route back to the XP > WS. So the XP WS will never be able the enroll until I set an route on R2 to > reach the XP WS. > Is that correct? TIA. > > Cheers > Simon > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com> > <http://www.ipexpert.com/> <http://www.ipexpert.com/> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com> > <http://www.ipexpert.com/> <http://www.ipexpert.com/> > > > > ------------------------------ > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
