Cisco Cisco ASA 5520 Adaptive Security Appliance Manual Técnica
keep in mind.
NTP
Certificate authentication requires that the clocks on all participating devices be synchronized to a
common source. While the clock can be set manually on each device, this is not very accurate and
can be cumbersome. The easiest method to synchronize the clocks on all devices is to use NTP.
NTP synchronizes timekeeping among a set of distributed time servers and clients. This
synchronization allows events to be correlated when system logs are created and when other
time-specific events occur. For more information on how to configure NTP, refer to
common source. While the clock can be set manually on each device, this is not very accurate and
can be cumbersome. The easiest method to synchronize the clocks on all devices is to use NTP.
NTP synchronizes timekeeping among a set of distributed time servers and clients. This
synchronization allows events to be correlated when system logs are created and when other
time-specific events occur. For more information on how to configure NTP, refer to
.
Tip: When a Cisco IOS software Certificate Authority (CA) server is used, it is common
practice to configure the same device as the NTP master. In this example, the CA server
also serves as the NTP server.
practice to configure the same device as the NTP master. In this example, the CA server
also serves as the NTP server.
HTTP-URL-Based Certificate Lookup
Certificate lookup based on the HTTP URL avoids the fragmentation that results when large
certificates are transferred. This feature is enabled on Cisco IOS software devices by default, so
the cert req type 12 is used by Cisco IOS software.
certificates are transferred. This feature is enabled on Cisco IOS software devices by default, so
the cert req type 12 is used by Cisco IOS software.
If software versions that do not have the fix for Cisco bug ID
are used on the ASA,
then the HTTP-URL-based lookup is not negotiated on the ASA, and Cisco IOS software causes
the authorization attempt to fail.
the authorization attempt to fail.
On the ASA, if IKEv2 protocol debugs are enabled, these messages appear:
IKEv2-PROTO-1: (139): Auth exchange failed
IKEv2-PROTO-1: (140): Unsupported cert encoding found or Peer requested
HTTP URL but never sent
HTTP_LOOKUP_SUPPORTED Notification
In order to avoid this issue, use the no crypto ikev2 http-url cert command in order to disable
this feature on the router when it peers with an ASA.
this feature on the router when it peers with an ASA.
Peer ID Validation
During IKE AUTH stage Internet Security Association and Key Management Protocol (ISAKMP)
negotiations, the peers must identify themselves to each other. However, there is a difference in
the way routers and ASAs select their local identity.
negotiations, the peers must identify themselves to each other. However, there is a difference in
the way routers and ASAs select their local identity.
ISAKMP ID Selection on Routers
When IKEv2 tunnels are used on routers, the local identity used in the negotiation is determined
by the identity local command under the IKEv2 profile:
by the identity local command under the IKEv2 profile:
R1(config-ikev2-profile)#identity local ?
address address
dn Distinguished Name
email Fully qualified email string
fqdn Fully qualified domain name string