Ok, Ill look at that lab again, but I'm glad you got it worked out. Can you send me your final config?
Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. On Sat, Mar 6, 2010 at 10:40 AM, Kingsley Charles <[email protected]> wrote: > Hi Brandoll > > Just brought the client connection with the IOS server up. The IOS EzVPN > server just had a cert without cn or ou. I had "crypto isakmp identity dn" > configured. Without, it the certification validation failed on the client. > > The CA server just have grant auto and issuer-name configured. > > > One of the CA options asked to be configured in the VPN (4A IOS EzVPN > server) lab is causing the issue. > > > With regards > Kings > > On Sat, Mar 6, 2010 at 9:58 AM, Brandon Carroll <[email protected]> > wrote: >> >> Kings, >> >> I’ve had the same issue in testing and upgrading to the T2 code solved it. >> With me, the enrollment was successful but the tunnel failed because of the >> way the client was verifying the cert. Another thing that I’ve seen make it >> work is setting the database level to complete on the PKI server. I’m not >> sure why there was a difference though. I need to test it again. >> >> Anyhow, if you are still seeing this issue what code are you running on >> the PKI server and what URL are you using to enroll the client? Do you have >> the cdp-url configured? What is that URL? >> -- >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com. >> >> >> ________________________________ >> From: Kingsley Charles <[email protected]> >> Date: Sat, 6 Mar 2010 09:38:54 +0530 >> To: Tyson Scott <[email protected]> >> Cc: <[email protected]>, Simon Baumann <[email protected]>, >> <[email protected]> >> Subject: Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling >> VPN-Client). >> >> >> For the past two, I am also facing the issue on my local test bed. In the >> client logs, it says something like the header is empty. >> >> It seems the server is not responding but at the same I am able to enroll >> the routers to the CA. >> >> There is some kind of bug. >> >> Why can't we do this directly using Windows? >> >> >> Open the MMC and Add a snap shot for the certification. Select Personal >> and right > All Tasks > Request New Certificate. >> >> But I have not able to go through, as it says I don't have admin rights or >> cannot contact active directory >> >> >> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmreqcerts.mspx?mfr=true >> >> >> After getting the cert on the windows certificate personal folder, you can >> see that in the client. >> >> >> If anyone suceeds, please let me know. >> >> >> With regards >> Kings >> >> >> >> >> With regards >> Kings >> >> >> >> On Sat, Mar 6, 2010 at 4:25 AM, Tyson Scott <[email protected]> wrote: >> >> Team, >> >> Our support team is in the middle of upgrading all our racks to get past >> this problem. I believe it to be a problem with the 12.4(24)T1 code. >> 12.4(15)T9 should also be in the flash of all the routers and if you use >> that it will work fine. I hope to have all the racks upgraded very soon. >> >> Regards, >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> Technical Instructor - IPexpert, Inc. >> Mailto: [email protected] <mailto:[email protected]> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> <http://www.ipexpert.com/chat> >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities >> <http://www.ipexpert.com/communities> and our public website at >> www.ipexpert.com <http://www.ipexpert.com/> >> >> >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Badar Farooq >> Sent: Friday, March 05, 2010 4:31 PM >> To: Simon Baumann >> Cc: [email protected] >> Subject: Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling >> VPN-Client). >> >> >> >> I am also struggling with this error. >> I have checked my configuration and its otherwise sound. >> Same CA successfully issues certificates to other routers. By I cant >> enroll my VPN Client. >> I am using http://x.x.x.x/cgi-bin/pkiclient.exe as CA url in the vpn >> client config and i keep getting error 42. >> Any help will be appreciated >> >> Regards >> >> On Wed, Jan 6, 2010 at 5:48 PM, Simon Baumann <[email protected]> >> wrote: >> Hi, >> I got a question about task 4.6 of Lab 4. The task requires that the VPN >> Client has to enroll with R2 to obtain idendity certificate. I get "Error >> 42" on the VPN Client. >> If I got everything right, R2 doesn't have to seem and route back to the >> XP WS. So the XP WS will never be able the enroll until I set an route on R2 >> to reach the XP WS. >> Is that correct? TIA. >> >> Cheers >> Simon >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com/> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com <http://www.ipexpert.com/> >> >> >> >> ________________________________ >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
