Check the time on all devices. On Wednesday, September 19, 2012, Jason Madsen wrote:
> Hi Group, > > I'm having a brain fart at the moment, or else ran into more GNS3 > weirdness. I setup a router as a CA and get the following message every > time I try to enroll from an ASA: > > The certificate enrollment request failed! > > Routers can authenticate and enroll with the IOS CA just fine...just > cannot from an ASA. Anything need to be done differently on the ASA when > enrolling other than what's needed on routers when enrolling? Here are > the basic steps I went through: > > *IOS CA:* > > hostname R1 > ip domain name blah.com > ntp master > ip http server > crypto key gen rsa mod 1024 R1-CA > ! > crypto pi trust R1-CA > rsakeypair R1-CA 1024 > rev none > ! > crypto pki server R1-CA > data level complete > data archi pem > data url pem flash: > grant auto > cdp- http://19.19.19.1/cgi-bin/pkiclient.exe?operation=GetCRL > issue CN = R1.blah.com, ST = CA, C = US > no shut > ! > > *ASA* > > hostname ASA > domain-name blah.com > ntp server 19.19.19.1 > ! > cryp key gen rsa mod 1024 > cryp ca trust R1 > enroll url http://19.19.19.1:80 > rev none > ! > crypt ca authe R1 > (works fine...able to authenticate) > crypt ca enroll R1 > (serial number: no, get cert: yes...get "enrollment request failed" each > time or a similar error message) > > I can debug on the CA and it looks as though a cert' is sent to the ASA > when I do the "crypto ca enroll" command. Not sure what's going on. NTP > was sync'd before any key / cert creation etc. Did not change hostnames or > domain names after creating keys / certs. I've tried specifying FQDN > wtihin trustpoints etc, and modifying other parameters. > > Either I've forgotten a key step along the way, or else this is GNS > specific. > > Any ideas / thoughts? > > Thanks, > Jason > > > -- FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
