I have been having this issue for a few days from now . Finally the certificate got enrolled properly but when I dial towards that VPN Server it doesnt happen . I did some debugs on the router and found out that the Cert is being rejected . Clock and timezone are same on both the devices and when I click Verify on VPN Client it says that the certificate is valid . The only problem I am thinking about is that when i created the keys on IOS device they were 1024 in size however when I requested certififate it shows 2048 . This could be a possible keysize mismatch , other than that I cant think of any .
Can you please let me know if you have faced simillar problem where the IOS
device is set for 1024 size and Client autometically gets 2048 size .
Please check attachments.
Building configuration... Current configuration : 2737 bytes ! ! Last configuration change at 09:44:09 KHI Sat Oct 8 2011 by cisco ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Rack1R1 ! boot-start-marker boot-end-marker ! enable password cisco ! aaa new-model ! ! aaa authentication login default local aaa authorization network default local ! aaa session-id common ! resource policy ! clock timezone KHI 5 ip cef ! ! ! ! ip domain name cisco.com ! ! crypto pki server test grant auto ! crypto pki trustpoint test revocation-check crl rsakeypair test ! ! crypto pki certificate chain test certificate ca 01 308201F7 30820160 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0F310D30 0B060355 04031304 74657374 301E170D 31313130 30383034 34323439 5A170D31 34313030 37303434 3234395A 300F310D 300B0603 55040313 04746573 7430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100CAAB CA388D70 FB978934 DE9DBBC8 A7A98E05 A35332E8 7A4ECB97 8381C483 90B63FEF 4B447C7B BFE4524B BAEBBEFE 1629C6A1 7181B8B3 AE28534F 5EB4AC63 92875750 E66DB88C 4A0E9134 752AA65A B6CE2AFC 547ADCA7 8FE3F17F 06561346 8E8625B0 CDD5C5E3 BCF88560 E134CC8C 85BEE1AB EE77A5F5 04F4BC69 22C53489 C3F90203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14C26AC6 EDB767D0 CBCEB01E 66A5A13F 7421A48D CB301D06 03551D0E 04160414 C26AC6ED B767D0CB CEB01E66 A5A13F74 21A48DCB 300D0609 2A864886 F70D0101 04050003 8181006B D9D104CE EF95B631 4736CDBA 91936C3D D060F373 182BA65B 4B7040B6 BA4E74CB 21335569 C215CD79 43B65A7D 4FEE4B13 E8BBFA72 FDBC4AEF 5DAFBFE4 D477A83D 3D282A1C 38E7AB8A 45DAD79F 6ECC1AEC 34B3014A 471C16E0 0C7EC585 4F5D25A7 1D3F3DAE C9FE0ABD CBB4D515 9B3697F1 07D5ECC5 26CA13B1 B1AE098D 52AC27 quit username cisco password 0 cisco ! ! ! crypto isakmp policy 10 encr 3des hash md5 group 2 ! ! crypto ipsec transform-set vpn esp-3des esp-md5-hmac ! crypto dynamic-map vpn 10 set transform-set vpn ! ! crypto map vpn client authentication list default crypto map vpn isakmp authorization list default crypto map vpn client configuration address respond crypto map vpn 10 ipsec-isakmp dynamic vpn ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 136.1.100.3 255.255.255.0 duplex auto speed auto crypto map vpn ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip local pool default 20.0.0.1 20.0.0.254 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 136.1.100.0 0.0.0.255 any ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 ! scheduler allocate 20000 1000 ntp master end
Oct 8 04:46:31.315: ISAKMP (0:134217729): ID payload
next-payload : 6
type : 9
Dist. name : cn=test.cisco
protocol : 17
port : 500
length : 31
Oct 8 04:46:31.315: ISAKMP:(0:1:SW:1):: UNITY's identity FQDN but no group info
Oct 8 04:46:31.315: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
Oct 8 04:46:31.319: ISAKMP:(0:1:SW:1): processing CERT payload. message ID = 0
Oct 8 04:46:31.319: ISAKMP:(0:1:SW:1): processing a CT_X509_SIGNATURE cert
Oct 8 04:46:31.319: ISAKMP:(0:1:SW:1): peer's pubkey isn't cached
Oct 8 04:46:31.319: CRYPTO_PKI: Found a issuer match
Oct 8 04:46:31.319: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from
136.1.100.100 is bad: CA request failed!
Oct 8 04:46:31.319: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 8 04:46:31.319: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM5
Oct 8 04:46:31.319: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 1 of 5: reset_retransmission
Oct 8 04:46:31.323: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_ERROR
Oct 8 04:46:31.323: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM4
Oct 8 04:46:32.319: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Oct 8 04:46:32.319: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
Oct 8 04:46:32.319: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Oct 8 04:46:32.319: ISAKMP:(0:1:SW:1): sending packet to 136.1.100.100 my_port
500 peer_port 1436 (R) MM_KEY_EXCH
Oct 8 04:46:32.319: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:32.323: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 8 04:46:32.323: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State =
IKE_R_MM5
Oct 8 04:46:32.323: ISAKMP:(0:1:SW:1): processing CERT payload. message ID = 0
Oct 8 04:46:32.323: ISAKMP:(0:1:SW:1): processing a CT_X509_SIGNATURE cert
Oct 8 04:46:32.327: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 8 04:46:32.327: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM5
Oct 8 04:46:32.331: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 1 of 5: reset_retransmission
Oct 8 04:46:32.331: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_ERROR
Oct 8 04:46:32.331: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM4
Oct 8 04:46:33.331: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Oct 8 04:46:33.331: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
Oct 8 04:46:33.331: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Oct 8 04:46:33.331: ISAKMP:(0:1:SW:1): sending packet to 136.1.100.100 my_port
500 peer_port 1436 (R) MM_KEY_EXCH
Oct 8 04:46:33.331: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:33.335: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 8 04:46:33.335: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State =
IKE_R_MM5
Oct 8 04:46:33.335: ISAKMP:(0:1:SW:1): processing CERT payload. message ID = 0
Oct 8 04:46:33.335: ISAKMP:(0:1:SW:1): processing a CT_X509_SIGNATURE cert
Oct 8 04:46:33.335: ISAKMP:(0:1:SW:1): peer's pubkey isn't cached
Oct 8 04:46:33.335: CRYPTO_PKI: Found a issuer match
Oct 8 04:46:33.335: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from
136.1.100.100 is bad: CA request failed!
Oct 8 04:46:33.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 8 04:46:33.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM5
Oct 8 04:46:33.339: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 1 of 5: reset_retransmission
Oct 8 04:46:33.339: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_ERROR
Oct 8 04:46:33.339: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM4
Oct 8 04:46:34.339: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Oct 8 04:46:34.339: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
Oct 8 04:46:34.339: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Oct 8 04:46:34.339: ISAKMP:(0:1:SW:1): sending packet to 136.1.100.100 my_port
500 peer_port 1436 (R) MM_KEY_EXCH
Oct 8 04:46:34.339: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:34.343: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 8 04:46:34.343: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4 New State =
IKE_R_MM5
Oct 8 04:46:34.343: ISAKMP:(0:1:SW:1): processing CERT payload. message ID = 0
Oct 8 04:46:34.343: ISAKMP:(0:1:SW:1): processing a CT_X509_SIGNATURE cert
Oct 8 04:46:34.343: ISAKMP:(0:1:SW:1): peer's pubkey isn't cached
Oct 8 04:46:34.343: CRYPTO_PKI: Found a issuer match
Oct 8 04:46:34.343: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from
136.1.100.100 is bad: CA request failed!
Oct 8 04:46:34.347: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Oct 8 04:46:34.347: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM5
Oct 8 04:46:34.347: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 1 of 5: reset_retransmission
Oct 8 04:46:34.347: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_ERROR
Oct 8 04:46:34.347: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5 New State =
IKE_R_MM4
Oct 8 04:46:35.347: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Oct 8 04:46:35.347: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
Oct 8 04:46:35.347: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Oct 8 04:46:35.347: ISAKMP:(0:1:SW:1): sending packet to 136.1.100.100 my_port
500 peer_port 1436 (R) MM_KEY_EXCH
Oct 8 04:46:35.347: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:35.347: ISAKMP: set new node -439926069 to CONF_XAUTH
Oct 8 04:46:35.347: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:35.347: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:35.351: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:35.351: ISAKMP (0:134217729): received packet from 136.1.100.100
dport 500 sport 1436 Global (R) MM_KEY_EXCH
Oct 8 04:46:35.351: ISAKMP: Info Notify message requeue retry counter exceeded
sa request from 136.1.100.100 to 136.1.100.3.
Oct 8 04:46:45.347: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Oct 8 04:46:45.347: ISAKMP (0:134217729): incrementing error counter on sa,
attempt 3 of 5: retransmit phase 1
Oct 8 04:46:45.347: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Oct 8 04:46:45.347: ISAKMP:(0:1:SW:1): sending packet to 136.1.100.100 my_port
500 peer_port 1436 (R) MM_KEY_EXCH<<attachment: vpnclient.JPG>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
