Cisco Bug: CSCuo50815 - IOS PKI: auto-renewal fails if the first renewal attempt is inturrupted
Last Modified
Oct 14, 2019
Products (25)
- Cisco IOS
- Cisco ASR 901-6CZ-FS-D Router
- Cisco ASR 901-6CZ-F-D Router
- Cisco ASR 901-4C-FT-D Router
- Cisco ME 3600X-24TS-M Switch
- Cisco ASR 901S-4SG-F-D Router
- Cisco ASR 901S-2SG-F-D Router
- Cisco ASR 901-6CZ-F-A Router
- Cisco ASR 901S-2SG-F-AH Router
- Cisco ASR 901-6CZ-FT-A Router
Known Affected Releases
15.4(3)S
Description (partial)
Symptom: When the IOS PKI Client tries to renew it's existing certificate [i.e. the RENEW timer in "show crypto pki timer" reaches 0], if the first attempt is interrupted due to communication failure [for example: the link between the client and the RA/CA is broken], the subsequent attempts to renew the certificate fail. Debugs will show: [debug crypto pki transaction] CRYPTO_PKI: Failed to send the request. There is another request in progress. Because of this, removing the trustpoint also fails with the following error: Error: There is an auto enrolment transaction in progress. Please wait until the current auto enrolment to finish before starting a new enrolment transaction. no crypto pki enroll _TP-Name_ - Does not help in this case Conditions: IOS PKi Client configured to enroll through an RA, with auto-renewal configured: crypto pki trustpoint TP enrollment mode ra auto-enroll 80
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Status
- Severity
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases