Must be :-). Ran into another issue after that. I built LDAP authentication on it, and even though all configs looked good, it wouldn't work until I left it alone for 30 minutes. Think we both need a break for a while :-).
Jason Sent from my iPhone On Sep 20, 2012, at 10:10 AM, Fawad Khan <[email protected]> wrote: > The Asa was probably stressed out and needed a break , just like your brain :) > > On Thursday, September 20, 2012, Jason Madsen wrote: > Hi Group, > > I just tried enrolling from the ASA again, and it worked!!! I haven't made > any changes either. Actually, I just let my lab sit for awhile while i > worked on some things. Came back to it and it worked like a charm. Very > weird... > > Jason > > On Wed, Sep 19, 2012 at 10:05 PM, Jason Madsen <[email protected]> wrote: > Hi Ben, > > Thanks for your response. I haven't reloaded the CA. Here's some info' from > some show commands. Not sure if it's any help in figuring this out, or if > this is a weird GNS thing and therefore a moot cause. Weird thing is that > routers can authenticate and enroll with the CA just fine. Only ASAs > enrollments fail. > > IOS CA: > > R1#sho cryp key mypubkey rsa > % Key pair was generated at: 00:03:40 UTC Mar 1 2002 > Key name: R1 > Storage Device: not specified > Usage: General Purpose Key > Key is not exportable. > Key Data: > 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D10F6F > DB59F2B1 56F97B34 85608D1C AFBE91D3 6C8F88DC 62A82ADF 2AE105A6 B7D5D43B > B7B958B8 BB80DC60 555E460F C2D84397 72A05506 A2C8621D 0A79C6DA 920A2D0C > D485DCD2 3784A911 8626AC32 F96ABA13 D273986F 622BAD8D 9ECAC9FA BD1FB262 > FC599E4F 4E47AB28 D5C0FA11 A578B7C6 AEDA3FA1 87FC9D43 47A173C3 6D020301 0001 > % Key pair was generated at: 02:03:43 UTC Mar 1 2002 > Key name: R1.server > Temporary key > Usage: Encryption Key > Key is not exportable. > Key Data: > 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B2D6C9 45940F97 > 0822D4DA 0C59BF12 367E1F21 8EEE75D3 AB2EB94A FB54FBE7 E7D6E0F5 CDB3EE75 > 9F5D9A91 7DA31A2E F75863D3 1AF6EC38 156DA91E 6FA83DEA 48384CF8 9823A14E > AAEDDAA2 A6089EAC 8EF35C34 70A31F68 AFC60B37 66901631 13020301 0001 > R1# > > > R1#sho cryp pki certificates ver > CA Certificate > Status: Available > Version: 3 > Certificate Serial Number: 0x1 > Certificate Usage: Signature > Issuer: > cn=R1.blah.com > st=CO > c=US > Subject: > cn=R1.blah.com > st=CO > c=US > Validity Date: > start date: 00:06:38 UTC Mar 1 2002 > end date: 00:06:38 UTC Feb 28 2005 > Subject Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Signature Algorithm: MD5 with RSA Encryption > Fingerprint MD5: B99C4B4A 9FDA7F21 5CC098F3 308D71AF > Fingerprint SHA1: 6D9CFC35 8CC733F9 96A1E6EF 1BDC3216 2C027D4E > X509v3 extensions: > X509v3 Key Usage: 86000000 > Digital Signature > Key Cert Sign > CRL Signature > X509v3 Subject Key ID: 60131162 6573950F 5B6B8C89 C2660CCF 55225E98 > X509v3 Basic Constraints: > CA: TRUE > X509v3 Authority Key ID: 60131162 6573950F 5B6B8C89 C2660CCF 55225E98 > Authority Info Access: > Associated Trustpoints: R1 > > ASA: > > ASA(config)# sho cryp key myp rsa > Key pair was generated at: 00:19:35 UTC Mar 1 2002 > Key name: <Default-RSA-Key> > Usage: General Purpose Key > Modulus Size (bits): 1024 > Key Data: > > 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a56efb > f7f8a639 dc7005cc e00d34b6 3bec745e d266fa44 ec523ba3 1b5d5306 97c78c98 > e9c27ccc 8054dabc a677a572 74069b0b 860a2782 6ea45e4e f183c8da fefff1d6 > 4a48afad 10d18b6a d2daa8fb 6a789fea 293faa79 b77dbb97 3c26f4c7 933fd2d4 > 7bb5cc6d 497a9b27 3319d628 e116a5f8 4754d9f2 7ac69bcc 80a4183c a7020301 0001 > ASA(config)# > ASA(config)# > ASA(config)# > > ASA(config)# sho cryp ca certificates > CA Certificate > Status: Available > Certificate Serial Number: 01 > Certificate Usage: Signature > Public Key Type: RSA (1024 bits) > Issuer Name: > cn=R1.blah.com > st=CO > c=US > Subject Name: > cn=R1.blah.com > st=CO > c=US > Validity Date: > start date: 00:06:38 UTC Mar 1 2002 > end date: 00:06:38 UTC Feb 28 2005 > Associated Trustpoints: R1 > > > > > > > On Wed, Sep 19, 2012 at 9:45 PM, Ben Shaw <[email protected]> wrote: > Check the RSA key-pair is still on the CA. If you have reloaded the CA at any > time during your test they would have been lost as GNS doesn't keep them on > reboot and this could cause an issue with enrollment. > > > > On Wed, Sep 19, 2012 at 8:39 PM, Jason Madsen <[email protected]> wrote: > > > -- > FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
