Ok, I tried removing all the options one by one and tried enrolling. Atlast I removed the caserver completely and configured a fresh one with just grant auto and the issuer name. It worked.
I am suspecting either the flash location as flash or database archive is the reason. They were the two options that were left when I deleted the server config completely. Bardar's config too doesn't have archive as well as database location config options. With regards Kings On Sat, Mar 6, 2010 at 2:37 PM, Badar Farooq <[email protected]> wrote: > A big fat thanks to all of you. > With the following config for the CA > > crypto pki server IOS-CA > database level complete > issuer-name cn=R2.cisco.com <http://r2.cisco.com/> ou=CA-auth l=us > grant auto > cdp-url http://150.1.12.2/cgi-bin/pkiclient.exe?operation=GetCRL > > > > I was able to obtain the certificate on the vpn client. > > I went further and tested per user pki authorization and tunnel came up > fine and everything worked great. > > This list is a life saver.. > > Once again, thank you, specially Brandon, Kingsley, Tyson and Simon :) > > Regards > > > On Sat, Mar 6, 2010 at 10:51 AM, Brandon Carroll <[email protected]>wrote: > >> Your code should be fine. When I said enrollment url I should have said >> cdp url on the CA server. That has affected clients obtaining certs for me >> in the past. >> >> Crypto pki server XXXX >> Cdp-url >> http://X.X.X.X/cgi-bin/pkiclient.exe?operation=GetCRL<http://x.x.x.x/cgi-bin/pkiclient.exe?operation=GetCRL> >> >> >> >> -- >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com. >> >> >> ------------------------------ >> *From: *Badar Farooq <[email protected]> >> *Date: *Sat, 6 Mar 2010 10:00:35 +0300 >> *To: *Brandon Carroll <[email protected]> >> *Cc: *Kingsley Charles <[email protected]>, Tyson Scott < >> [email protected]>, Simon Baumann <[email protected]>, < >> [email protected]> >> >> *Subject: *Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling >> VPN-Client). >> >> Hi All >> My IOS is 12.4(15)T9, so I should not have an issue right? >> Also Brandon, what do you mean by "Also check the URL on the PKi server >> and make sure it has the "?" Mark in the URL. "? >> >> My enrollment URL was http://x.x.x.x/cgi-bin/pkiclient.exe, where x.x.x.x >> is the IP of the CA server router. Is it wrong? >> I am testing it on a single one router dynamips topology. and I will try >> again with cdp url configured and database level complete but I need a >> confirmation that everything else I am doing is correct. >> >> Can somebody just detail the step by step process. I will be really >> grateful. >> >> Regards >> >> >> >> >> On Sat, Mar 6, 2010 at 7:28 AM, Brandon Carroll <[email protected]> >> wrote: >> >> Kings, >> >> I’ve had the same issue in testing and upgrading to the T2 code solved it. >> With me, the enrollment was successful but the tunnel failed because of the >> way the client was verifying the cert. Another thing that I’ve seen make it >> work is setting the database level to complete on the PKI server. I’m not >> sure why there was a difference though. I need to test it again. >> >> Anyhow, if you are still seeing this issue what code are you running on >> the PKI server and what URL are you using to enroll the client? Do you have >> the cdp-url configured? What is that URL? >> >> -- >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> <http://www.ipexpert.com/chat> <http://www.ipexpert.com/chat> >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities >> <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> >> and our public website at >> www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com/> . >> >> >> ------------------------------ >> *From: *Kingsley Charles <[email protected]> >> *Date: *Sat, 6 Mar 2010 09:38:54 +0530 >> *To: *Tyson Scott <[email protected]> >> *Cc: *<[email protected]>, Simon Baumann <[email protected]>, >> <[email protected]> >> >> *Subject: *Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling >> VPN-Client). >> >> >> For the past two, I am also facing the issue on my local test bed. In the >> client logs, it says something like the header is empty. >> >> It seems the server is not responding but at the same I am able to enroll >> the routers to the CA. >> >> There is some kind of bug. >> >> Why can't we do this directly using Windows? >> >> >> Open the MMC and Add a snap shot for the certification. Select Personal >> and right > All Tasks > Request New Certificate. >> >> But I have not able to go through, as it says I don't have admin rights or >> cannot contact active directory >> >> >> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmreqcerts.mspx?mfr=true >> >> >> After getting the cert on the windows certificate personal folder, you can >> see that in the client. >> >> >> If anyone suceeds, please let me know. >> >> >> With regards >> Kings >> >> >> >> >> With regards >> Kings >> >> >> >> On Sat, Mar 6, 2010 at 4:25 AM, Tyson Scott <[email protected]> wrote: >> >> Team, >> >> Our support team is in the middle of upgrading all our racks to get past >> this problem. I believe it to be a problem with the 12.4(24)T1 code. >> 12.4(15)T9 should also be in the flash of all the routers and if you use >> that it will work fine. I hope to have all the racks upgraded very soon. >> >> Regards, >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> Technical Instructor - IPexpert, Inc. >> Mailto: >> [email protected] <mailto:[email protected]> <[email protected]> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> <http://www.ipexpert.com/chat> <http://www.ipexpert.com/chat> >> <http://www.ipexpert.com/chat> <http://www.ipexpert.com/chat> >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities >> <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> >> <http://www.ipexpert.com/communities><http://www.ipexpert.com/communities> >> and our public website at >> www.ipexpert.com <http://www.ipexpert.com> <http://www.ipexpert.com/> >> <http://www.ipexpert.com/> <http://www.ipexpert.com/> >> >> >> *From:* [email protected] [ >> mailto:[email protected]]<[email protected]]> >> *On Behalf Of *Badar Farooq >> *Sent:* Friday, March 05, 2010 4:31 PM >> *To:* Simon Baumann >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling >> VPN-Client). >> >> >> >> I am also struggling with this error. >> I have checked my configuration and its otherwise sound. >> Same CA successfully issues certificates to other routers. By I cant >> enroll my VPN Client. >> I am using http://x.x.x.x/cgi-bin/pkiclient.exe as CA url in the vpn >> client config and i keep getting error 42. >> Any help will be appreciated >> >> Regards >> >> On Wed, Jan 6, 2010 at 5:48 PM, Simon Baumann <[email protected]> >> wrote: >> Hi, >> I got a question about task 4.6 of Lab 4. The task requires that the VPN >> Client has to enroll with R2 to obtain idendity certificate. I get "Error >> 42" on the VPN Client. >> If I got everything right, R2 doesn't have to seem and route back to the >> XP WS. So the XP WS will never be able the enroll until I set an route on R2 >> to reach the XP WS. >> Is that correct? TIA. >> >> Cheers >> Simon >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com><http://www.ipexpert.com/> >> <http://www.ipexpert.com/> <http://www.ipexpert.com/> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com><http://www.ipexpert.com/> >> <http://www.ipexpert.com/> <http://www.ipexpert.com/> >> >> >> >> ------------------------------ >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com><http://www.ipexpert.com/> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com><http://www.ipexpert.com/> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
