![]() On the ASA, if IKEv2 protocol debugs are enabled, these messages appear: IKEv2-PROTO-1: (139): Auth exchange failed If software versions that do not have the fix for Cisco bug ID CSCul48246 are used on the ASA, then the HTTP-URL-based lookup is not negotiated on the ASA, and Cisco IOS software causes the authorization attempt to fail. This feature is enabled on Cisco IOS software devices by default, so the cert req type 12 is used by Cisco IOS software. HTTP-URL-Based Certificate LookupĬertificate lookup based on the HTTP URL avoids the fragmentation that results when large certificates are transferred. In this example, the CA server also serves as the NTP server. Tip: When a Cisco IOS software Certificate Authority (CA) server is used, it is common practice to configure the same device as the NTP server. For more information on how to configure NTP, refer to Network Time Protocol: Best Practices White Paper. This synchronization allows events to be correlated when system logs are created and when other time-specific events occur. NTP synchronizes the time among a set of distributed time servers and clients. The easiest method to synchronize the clocks on all devices is to use NTP. While the clock can be set manually on each device, this is not very accurate and can be cumbersome. NTPĬertificate authentication requires that the clocks on all devices used must be synchronized to a common source. However, when you use certificate authentication, there are certain caveats to keep in mind. Cisco Connected Grid Routers that run software version 15.2(4)M or laterĬonfiguration of an IKEv2 tunnel between an ASA and a router with the use of pre-shared keys is straightforward.Cisco ASR 1000 Series Aggregation Services Routers that run Cisco IOS-XE software version 15.2(4)S or later.Cisco ISR Generation 2 (G2) that runs Cisco IOS software version 15.2(4)M or later.Cisco ASA that runs software version 8.4(1) or later.This document can also be used with these hardware and software versions: If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. Cisco 2900 Series Integrated Services Router (ISR) that runs Cisco IOS software version 15.3(3)M1.Cisco ASA 5506 Adaptive Security Appliance that runs software version 9.8.4.The information in this document is based on these software and hardware versions: Certificates and Public Key Infrastructure (PKI).Internet Key Exchange version 2 (IKEv2).Prerequisites RequirementsĬisco recommends that you have knowledge of these topics: This document describes how to set up a site-to-site Internet Key Exchange version 2 (IKEv2) tunnel between a Cisco Adaptive Security Appliance (ASA) and a router that runs Cisco IOS ® software. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |