Hi Group, I just tried enrolling from the ASA again, and it worked!!! I haven't made any changes either. Actually, I just let my lab sit for awhile while i worked on some things. Came back to it and it worked like a charm. Very weird...
Jason On Wed, Sep 19, 2012 at 10:05 PM, Jason Madsen <[email protected]>wrote: > Hi Ben, > > Thanks for your response. I haven't reloaded the CA. Here's some info' > from some show commands. Not sure if it's any help in figuring this out, > or if this is a weird GNS thing and therefore a moot cause. Weird thing is > that routers can authenticate and enroll with the CA just fine. Only ASAs > enrollments fail. > > *IOS CA:* > > R1#sho cryp key mypubkey rsa > % Key pair was generated at: 00:03:40 UTC Mar 1 2002 > Key name: R1 > Storage Device: not specified > Usage: General Purpose Key > Key is not exportable. > Key Data: > 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D10F6F > DB59F2B1 56F97B34 85608D1C AFBE91D3 6C8F88DC 62A82ADF 2AE105A6 B7D5D43B > B7B958B8 BB80DC60 555E460F C2D84397 72A05506 A2C8621D 0A79C6DA 920A2D0C > D485DCD2 3784A911 8626AC32 F96ABA13 D273986F 622BAD8D 9ECAC9FA BD1FB262 > FC599E4F 4E47AB28 D5C0FA11 A578B7C6 AEDA3FA1 87FC9D43 47A173C3 6D020301 > 0001 > % Key pair was generated at: 02:03:43 UTC Mar 1 2002 > Key name: R1.server > Temporary key > Usage: Encryption Key > Key is not exportable. > Key Data: > 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B2D6C9 45940F97 > 0822D4DA 0C59BF12 367E1F21 8EEE75D3 AB2EB94A FB54FBE7 E7D6E0F5 CDB3EE75 > 9F5D9A91 7DA31A2E F75863D3 1AF6EC38 156DA91E 6FA83DEA 48384CF8 9823A14E > AAEDDAA2 A6089EAC 8EF35C34 70A31F68 AFC60B37 66901631 13020301 0001 > R1# > > > R1#sho cryp pki certificates ver > CA Certificate > Status: Available > Version: 3 > Certificate Serial Number: 0x1 > Certificate Usage: Signature > Issuer: > cn=R1.blah.com > st=CO > c=US > Subject: > cn=R1.blah.com > st=CO > c=US > Validity Date: > start date: 00:06:38 UTC Mar 1 2002 > end date: 00:06:38 UTC Feb 28 2005 > Subject Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Signature Algorithm: MD5 with RSA Encryption > Fingerprint MD5: B99C4B4A 9FDA7F21 5CC098F3 308D71AF > Fingerprint SHA1: 6D9CFC35 8CC733F9 96A1E6EF 1BDC3216 2C027D4E > X509v3 extensions: > X509v3 Key Usage: 86000000 > Digital Signature > Key Cert Sign > CRL Signature > X509v3 Subject Key ID: 60131162 6573950F 5B6B8C89 C2660CCF 55225E98 > X509v3 Basic Constraints: > CA: TRUE > X509v3 Authority Key ID: 60131162 6573950F 5B6B8C89 C2660CCF 55225E98 > Authority Info Access: > Associated Trustpoints: R1 > > *ASA:* > > ASA(config)# sho cryp key myp rsa > Key pair was generated at: 00:19:35 UTC Mar 1 2002 > Key name: <Default-RSA-Key> > Usage: General Purpose Key > Modulus Size (bits): 1024 > Key Data: > > 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a56efb > f7f8a639 dc7005cc e00d34b6 3bec745e d266fa44 ec523ba3 1b5d5306 97c78c98 > e9c27ccc 8054dabc a677a572 74069b0b 860a2782 6ea45e4e f183c8da fefff1d6 > 4a48afad 10d18b6a d2daa8fb 6a789fea 293faa79 b77dbb97 3c26f4c7 933fd2d4 > 7bb5cc6d 497a9b27 3319d628 e116a5f8 4754d9f2 7ac69bcc 80a4183c a7020301 > 0001 > ASA(config)# > ASA(config)# > ASA(config)# > > ASA(config)# sho cryp ca certificates > CA Certificate > Status: Available > Certificate Serial Number: 01 > Certificate Usage: Signature > Public Key Type: RSA (1024 bits) > Issuer Name: > cn=R1.blah.com > st=CO > c=US > Subject Name: > cn=R1.blah.com > st=CO > c=US > Validity Date: > start date: 00:06:38 UTC Mar 1 2002 > end date: 00:06:38 UTC Feb 28 2005 > Associated Trustpoints: R1 > > > > > > > On Wed, Sep 19, 2012 at 9:45 PM, Ben Shaw <[email protected]> wrote: > >> Check the RSA key-pair is still on the CA. If you have reloaded the CA at >> any time during your test they would have been lost as GNS doesn't keep >> them on reboot and this could cause an issue with enrollment. >> >> >> >> On Wed, Sep 19, 2012 at 8:39 PM, Jason Madsen <[email protected]>wrote: >> >>> time appears to be within milliseconds from each other, and all date and >>> timezone type info matches as well. UTC, Fri, March 1st 2002... >>> >>> my brain hurts. seems like i've done this a million times while >>> studying / testing, and now it won't work any more. >>> >>> Jason >>> >>> >>> >>> On Wed, Sep 19, 2012 at 8:35 PM, Fawad Khan <[email protected]> wrote: >>> >>>> So check time and time zone. This happened to me but I found the time >>>> zone was not >>>> Matching properly. >>>> >>>> >>>> On Wednesday, September 19, 2012, Fawad Khan wrote: >>>> >>>>> Check the time on all devices. >>>>> >>>>> On Wednesday, September 19, 2012, Jason Madsen wrote: >>>>> >>>>>> Hi Group, >>>>>> >>>>>> I'm having a brain fart at the moment, or else ran into more GNS3 >>>>>> weirdness. I setup a router as a CA and get the following message every >>>>>> time I try to enroll from an ASA: >>>>>> >>>>>> The certificate enrollment request failed! >>>>>> >>>>>> Routers can authenticate and enroll with the IOS CA just fine...just >>>>>> cannot from an ASA. Anything need to be done differently on the ASA when >>>>>> enrolling other than what's needed on routers when enrolling? Here are >>>>>> the basic steps I went through: >>>>>> >>>>>> *IOS CA:* >>>>>> >>>>>> hostname R1 >>>>>> ip domain name blah.com >>>>>> ntp master >>>>>> ip http server >>>>>> crypto key gen rsa mod 1024 R1-CA >>>>>> ! >>>>>> crypto pi trust R1-CA >>>>>> rsakeypair R1-CA 1024 >>>>>> rev none >>>>>> ! >>>>>> crypto pki server R1-CA >>>>>> data level complete >>>>>> data archi pem >>>>>> data url pem flash: >>>>>> grant auto >>>>>> cdp- http://19.19.19.1/cgi-bin/pkiclient.exe?operation=GetCRL >>>>>> issue CN = R1.blah.com, ST = CA, C = US >>>>>> no shut >>>>>> ! >>>>>> >>>>>> *ASA* >>>>>> >>>>>> hostname ASA >>>>>> domain-name blah.com >>>>>> ntp server 19.19.19.1 >>>>>> ! >>>>>> cryp key gen rsa mod 1024 >>>>>> cryp ca trust R1 >>>>>> enroll url http://19.19.19.1:80 >>>>>> rev none >>>>>> ! >>>>>> crypt ca authe R1 >>>>>> (works fine...able to authenticate) >>>>>> crypt ca enroll R1 >>>>>> (serial number: no, get cert: yes...get "enrollment request failed" >>>>>> each time or a similar error message) >>>>>> >>>>>> I can debug on the CA and it looks as though a cert' is sent to the >>>>>> ASA when I do the "crypto ca enroll" command. Not sure what's going on. >>>>>> NTP was sync'd before any key / cert creation etc. Did not change >>>>>> hostnames or domain names after creating keys / certs. I've tried >>>>>> specifying FQDN wtihin trustpoints etc, and modifying other parameters. >>>>>> >>>>>> Either I've forgotten a key step along the way, or else this is GNS >>>>>> specific. >>>>>> >>>>>> Any ideas / thoughts? >>>>>> >>>>>> Thanks, >>>>>> Jason >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> FNK, CCIE Security#35578 >>>>> >>>> >>>> >>>> -- >>>> FNK, CCIE Security#35578 >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
