yep, all NTP was sync'd...time on all devices the same before and during any key / cert creation etc.
On Wed, Sep 19, 2012 at 8:34 PM, Fawad Khan <[email protected]> wrote: > Check the time on all devices. > > > On Wednesday, September 19, 2012, Jason Madsen wrote: > >> Hi Group, >> >> I'm having a brain fart at the moment, or else ran into more GNS3 >> weirdness. I setup a router as a CA and get the following message every >> time I try to enroll from an ASA: >> >> The certificate enrollment request failed! >> >> Routers can authenticate and enroll with the IOS CA just fine...just >> cannot from an ASA. Anything need to be done differently on the ASA when >> enrolling other than what's needed on routers when enrolling? Here are >> the basic steps I went through: >> >> *IOS CA:* >> >> hostname R1 >> ip domain name blah.com >> ntp master >> ip http server >> crypto key gen rsa mod 1024 R1-CA >> ! >> crypto pi trust R1-CA >> rsakeypair R1-CA 1024 >> rev none >> ! >> crypto pki server R1-CA >> data level complete >> data archi pem >> data url pem flash: >> grant auto >> cdp- http://19.19.19.1/cgi-bin/pkiclient.exe?operation=GetCRL >> issue CN = R1.blah.com, ST = CA, C = US >> no shut >> ! >> >> *ASA* >> >> hostname ASA >> domain-name blah.com >> ntp server 19.19.19.1 >> ! >> cryp key gen rsa mod 1024 >> cryp ca trust R1 >> enroll url http://19.19.19.1:80 >> rev none >> ! >> crypt ca authe R1 >> (works fine...able to authenticate) >> crypt ca enroll R1 >> (serial number: no, get cert: yes...get "enrollment request failed" each >> time or a similar error message) >> >> I can debug on the CA and it looks as though a cert' is sent to the ASA >> when I do the "crypto ca enroll" command. Not sure what's going on. NTP >> was sync'd before any key / cert creation etc. Did not change hostnames or >> domain names after creating keys / certs. I've tried specifying FQDN >> wtihin trustpoints etc, and modifying other parameters. >> >> Either I've forgotten a key step along the way, or else this is GNS >> specific. >> >> Any ideas / thoughts? >> >> Thanks, >> Jason >> >> >> > > -- > FNK, CCIE Security#35578 >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
