yep, all NTP was sync'd...time on all devices the same before and during
any key / cert creation etc.



On Wed, Sep 19, 2012 at 8:34 PM, Fawad Khan <[email protected]> wrote:

> Check the time on all devices.
>
>
> On Wednesday, September 19, 2012, Jason Madsen wrote:
>
>> Hi Group,
>>
>> I'm having a brain fart at the moment, or else ran into more GNS3
>> weirdness.  I setup a router as a CA and get the following message every
>> time I try to enroll from an ASA:
>>
>> The certificate enrollment request failed!
>>
>> Routers can authenticate and enroll with the IOS CA just fine...just
>> cannot from an ASA.  Anything need to be done differently on the ASA when
>> enrolling other than what's needed on routers when enrolling?   Here are
>> the basic steps I went through:
>>
>> *IOS CA:*
>>
>> hostname R1
>> ip domain name blah.com
>> ntp master
>> ip http server
>> crypto key gen rsa mod 1024 R1-CA
>> !
>> crypto pi trust R1-CA
>> rsakeypair R1-CA 1024
>> rev none
>> !
>> crypto pki server R1-CA
>> data level complete
>> data archi pem
>> data url pem flash:
>> grant auto
>> cdp- http://19.19.19.1/cgi-bin/pkiclient.exe?operation=GetCRL
>> issue CN = R1.blah.com, ST = CA, C = US
>> no shut
>> !
>>
>> *ASA*
>>
>> hostname ASA
>> domain-name blah.com
>> ntp server 19.19.19.1
>> !
>> cryp key gen rsa mod 1024
>> cryp ca trust R1
>> enroll url http://19.19.19.1:80
>> rev none
>> !
>> crypt ca authe R1
>> (works fine...able to authenticate)
>> crypt ca enroll R1
>> (serial number: no, get cert: yes...get "enrollment request failed" each
>> time or a similar error message)
>>
>> I can debug on the CA and it looks as though a cert' is sent to the ASA
>> when I do the "crypto ca enroll" command.  Not sure what's going on.  NTP
>> was sync'd before any key / cert creation etc.  Did not change hostnames or
>> domain names after creating keys / certs.   I've tried specifying FQDN
>> wtihin trustpoints etc, and modifying other parameters.
>>
>> Either I've forgotten a key step along the way, or else this is GNS
>> specific.
>>
>> Any ideas / thoughts?
>>
>> Thanks,
>> Jason
>>
>>
>>
>
> --
> FNK, CCIE Security#35578
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to