Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
1
Replies

Cisco router losing certificate configuration

Richard Tapp
Level 1
Level 1

‎02-11-2016 04:51 AM

I am having an odd issue and wondered if anyone else has come across it.

Our 2 UK DC's have routers that act as CA's for our spoke sites around the globe. (about 90% of this issue are on sites in the America's)

They are set for auto renew and the CA's have different timers to ensure certificates would not run our at the same time.

Basically we notice sites are down, log in via the WAN interface and find all the Trustpoint information has been deleted from he running and start configs.

It happens without warning, we run a weekly report to look for routers without the config. For example we ran the report yesterday and it showed no sites with missing config, then this morning a site lost all the Trustpoint info.

One of the CA's

crypto pki server dmvpn-XX-RT2
 issuer-name CN=xxxxxxxx
 grant auto
 lifetime certificate 1000
 lifetime ca-certificate 1300
 auto-rollover 50
 database url nvram

Other CA

crypto pki server dmvpn-YY-RT2
 issuer-name CN=yyyyyyyy
 grant auto
 lifetime certificate 900
 lifetime ca-certificate 1200
 auto-rollover 50

 A spoke that use the above trustpoint's

crypto pki trustpoint xxxxxxxx
 enrollment url http://xx.xx.xx.xx:80
 revocation-check none
 auto-enroll 80

Labels:
0 Helpful
1 Reply 1

Rohan Padwal
Level 1
Level 1

‎02-26-2016 10:19 PM

Hello,

can you share the cert info of spoke?

sh cry ca cert

sh cry key my rsa 

when you say the trust point get deleted is the router rebooted ?

what is the router ios ver on spoke and hub

regards

#Rohan

0 Helpful
Customers Also Viewed These Support Documents