Re: [OSL | CCIE_Security] Certificate maps,

Sun, 08 Jul 2012 11:32:55 -0700 

Hi Mike,
Is it ASA to ASA lan2lan tunnel ? What's the tunnel-group name ?

Eugene

From: [email protected] 
[mailto:[email protected]] On Behalf Of Mike Rojas
Sent: Saturday, July 07, 2012 4:12 PM
To: [email protected]
Subject: [OSL | CCIE_Security] Certificate maps,

Hey Guys,

Just wanted to throw this one out. Sometimes I got freaked out about my 
certificate map not matching against what I am looking for on the Certificate 
of the peer, for example:

  7 23:06:51.734: ISAKMP:(4003): processing ID payload. message ID = 0
Jul  7 23:06:51.734: ISAKMP (0:4003): ID payload
        next-payload : 6
        type         : 9
        Dist. name   : hostname=ASA2
        protocol     : 0
        port         : 0
        length       : 31
Jul  7 23:06:51.734: ISAKMP:(0):: UNITY's identity FQDN but no group info
Jul  7 23:06:51.734: ISAKMP:(0):: peer matches *none* of the profiles
Jul  7 23:06:51.734: ISAKMP:(4003): processing CERT payload. message ID = 0
Jul  7 23:06:51.734: ISAKMP:(4003): processing a CT_X509_SIGNATURE cert
Jul  7 23:06:51.738: ISAKMP:(4003): peer's pubkey is cached
Jul  7 23:06:51.738: ISAKMP:(4003): Unable to get DN from certificate!
Jul  7 23:06:51.738: ISAKMP:(4003): Cert presented by peer contains no OU field.

But later on, you see that it continues looking into the Certificate payload 
and then:



Jul  7 23:06:51.742: ISAKMP:(0): certificate map matches L2L profile
Jul  7 23:06:51.742: ISAKMP:(0): Trying to re-validate CERT using new profile
Jul  7 23:06:51.742: ISAKMP:(0): CERT validity confirmed.
Jul  7 23:06:51.742: ISAKMP:(4003):Profile has no keyring, aborting key search
Jul  7 23:06:51.742: ISAKMP:(4003): processing SIG payload. message ID = 0
Jul  7 23:06:51.746: ISAKMP:received payload type 17
Jul  7 23:06:51.746: ISAKMP:(4003): processing vendor id payload
Jul  7 23:06:51.746: ISAKMP:(4003): vendor ID is DPD
Jul  7 23:06:51.746: ISAKMP:(4003):SA authentication status:

Mainly it tries to match it against "known fields" following the procedure, 
then it checks for the certificate map.

Annnyyway... just wanted to throw it out in case someone freaks out as well.

Mike Rojas


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to