Great! That was it!
How I fixed it was with this command:
"lifetime certificate 300" in the CA config section.
I reenrolled the two client routers (R5 & R6) and noted their
certificates were ok:
R6#show crypto ca certificate IOS_CA
Certificate
Status: Available
Certificate Serial Number: 0x7
Certificate Usage: General Purpose
Issuer:
cn=IOS_CA
Subject:
Name: R6
Serial Number: FHK0953F17K
hostname=R6+serialNumber=FHK0953F17K
cn=R6.cisco.com
ou=CCIE
c=PL
CRL Distribution Points:
http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL
Validity Date:
start date: 14:38:50 EUST Sep 25 2012
end date: 14:38:50 EUST Jul 22 2013
Associated Trustpoints: IOS_CA
Tried to ping between the two vlans and the VPN came up and everything
was all good. This was after I facepalmed myself with the 2015 date
:) That was a real case of OYFE for me there.
Once again, thanks everyone for their assistance.
Cheers
On 25 September 2012 14:14, Jason Madsen <[email protected]> wrote:
> The line your referring to is your CA certificate timer, which can be set as
> follows:
>
> (within pki server config mode)
> lifetime ca-certificate xxx
>
> Not sure I recommend changing values like this once the server has already
> been setup and cert's have been issued though. That could cause you more
> grief.
>
> The expiration date you mentioned below was yesterday as you pointed out,
> but it's for 2015. The ca-cert has a lifetime of 3 years by default.
>
> Jason
>
>
>
> On Mon, Sep 24, 2012 at 7:37 PM, Matt Hill <[email protected]> wrote:
>>
>> HI Everyone,
>>
>> Thanks for your input. I tried the "lifetime crl time" but that does
>> not look like it fixes it. Here is my CA config and show output:
>>
>> R2#show crypto pki server
>> Certificate Server IOS_CA:
>> Status: enabled
>> State: enabled
>> Server's configuration is locked (enter "shut" to unlock it)
>> Issuer name: CN=IOS_CA
>> CA cert fingerprint: 27B1F4FA 9FA2623B 2486DB53 472CC3C3
>> Granting mode is: auto
>> Last certificate issued serial number: 0x6
>> CA certificate expiration timer: 05:03:42 EUST Sep 24 2015
>> <----------- uncool!!!
>> CRL NextUpdate timer: 12:19:06 EUST Oct 7 2012
>> Current primary storage dir: nvram:
>> Database Level: Minimum - no cert data written to storage
>> Auto-Rollover configured, overlap period 30 days
>> Autorollover timer: 05:03:42 EUST Aug 25 2015
>> R2#show run | s crypto pki
>> crypto pki server IOS_CA
>> database archive pem password 7 070C285F4D06485744
>> grant auto
>> lifetime crl 300
>> cdp-url http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL
>> auto-rollover
>> crypto pki trustpoint IOS_CA
>> revocation-check crl
>> rsakeypair IOS_CA
>> crypto pki certificate chain IOS_CA
>> certificate ca 01
>> 308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>> XXXXXX
>> 268C07A3 A77CAB95 3E19268B 8E8C1D45 3044964C 05952A39 20E8288D C2ABC4
>> quit
>> R2#show clock
>> 11:32:52.370 EUST Tue Sep 25 2012
>>
>> -------------
>>
>> The certificate expiration timer appears to be the problem here. As
>> you can see the time expired was yesterday. I cant for the life of me
>> find how to change this. It would be a one liner in there somewhere
>> I'm sure?
>>
>> Cheers,
>> Matt
>>
>> CCIE #22386
>> CCSI #31207
>>
>>
>> On 24 September 2012 19:43, Kingsley Charles <[email protected]>
>> wrote:
>> > You need worry about timezones. Validity check is done based on UTC.
>> >
>> > The validity period can't be changed rather change your clock.
>> >
>> > With regards
>> > Kings
>> > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)
>> >
>> > On Mon, Sep 24, 2012 at 10:13 AM, Matt Hill <[email protected]> wrote:
>> >>
>> >> Hi There,
>> >>
>> >> I am doing something wrong here, saying my certificate is invalid, but
>> >> Im not sure why...
>> >>
>> >>
>> >> Sep 24 13:36:03.912: %CRYPTO-4-IKMP_NO_SA: IKE message from 8.9.50.6
>> >> has no SA and is not an initialization offer
>> >> Sep 24 13:36:04.492: CRYPTO_PKI: New CRL Not Valid - expired (router
>> >> time not synched to CA?)
>> >> Sep 24 13:36:04.492: CRL expires: 11:03:44 EUST Sep 24 2012
>> >> Sep 24 13:36:04.492: Router time: 14:36:04 EUST Sep 24 2012
>> >> Sep 24 13:36:04.492: %PKI-4-CRLINSERTFAIL: Trustpoint "IOS_CA" unknown
>> >> (error 1804:E_VALIDITY : validity period start later than end) <---
>> >> this line catched my attention
>> >> Sep 24 13:36:04.496: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received
>> >> from 8.9.50.6 is bad: certificate invalid.
>> >> Sep 24 13:36:04.496: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main
>> >> mode failed with peer at 8.9.50.6....
>> >>
>> >>
>> >>
>> >> R5#show crypto pki certificates
>> >> Certificate
>> >> Status: Available
>> >> Certificate Serial Number: 0x4
>> >> Certificate Usage: General Purpose
>> >> Issuer:
>> >> cn=IOS_CA
>> >> Subject:
>> >> Name: R5
>> >> Serial Number: FHK0953F18R
>> >> hostname=R5+serialNumber=FHK0953F18R
>> >> cn=R5.cisco.com
>> >> ou=CCIE
>> >> c=PL
>> >> CRL Distribution Points:
>> >> http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL
>> >> Validity Date:
>> >> start date: 13:52:19 EUST Sep 24 2012
>> >> end date: 13:52:19 EUST Sep 24 2013
>> >> Associated Trustpoints: IOS_CA
>> >> Storage: nvram:IOS_CA#4.cer
>> >>
>> >> CA Certificate
>> >> Status: Available
>> >> Certificate Serial Number: 0x1
>> >> Certificate Usage: Signature
>> >> Issuer:
>> >> cn=IOS_CA
>> >> Subject:
>> >> cn=IOS_CA
>> >> Validity Date:
>> >> start date: 05:03:42 EUST Sep 24 2012
>> >> end date: 05:03:42 EUST Sep 24 2015
>> >> Associated Trustpoints: IOS_CA
>> >> Storage: nvram:IOS_CA#1CA.cer
>> >>
>> >>
>> >> R5#show clock
>> >> 14:35:42.983 EUST Mon Sep 24 2012
>> >>
>> >> and on my CA:
>> >>
>> >> R2#show clock
>> >> 14:36:24.099 EUST Mon Sep 24 2012
>> >>
>> >> So we can see the validity period is outside what the current time is,
>> >> also the validity period is rather short (ie <1 second). I got this
>> >> to work previously, however I cant easily find anywhere where I can
>> >> change the validity period.
>> >>
>> >> Also, EUST is something I made up. The lab did not tell me what I
>> >> should call it. Funnily enough, when I used "MATTST" it was working
>> >> fine. I dont think the timezone name should make any difference
>> >> whatsoever.
>> >>
>> >> Cheers,
>> >> Matt
>> >>
>> >> CCIE #22386
>> >> CCSI #31207
>> >> _______________________________________________
>> >> For more information regarding industry leading CCIE Lab training,
>> >> please
>> >> visit www.ipexpert.com
>> >>
>> >> Are you a CCNP or CCIE and looking for a job? Check out
>> >> www.PlatinumPlacement.com
>> >
>> >
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
