Table of Contents
Advertisement
Pending Mode
Once you have authenticated against the parent CA in your XSR certificate chain, you then enroll
the XSR's IPSec client certificate against the CA using the SCEP enroll command. Depending on
how your CA administrator has configured the CA, you may or may not immediately receive
your IPSec client certificate when you first enroll. If the CA has been configured to use pending
mode, the CA administrator must manually issue or deny your request. The CA administrator
may take certain steps to verify that the enrollment request is valid, such as calling the system
administrator. This process may take a number of hours or days.
When pending mode is configured, the XSR will log that the operation is pending, and will
automatically poll for the certificate three times at five-minute intervals. The number of polls and
the interval between polls is adjustable using CLI commands under Crypto Identity configuration
mode. This assumes that the CA administrator will issue or deny the XSR enrollment request
within a 15-minute window.
Once retries are exhausted, the enrollment becomes invalid and you must enroll again. Each poll
request and its result are logged in detail by the XSR. Ask your CA administrator what these
values should be.
Enroll Password
Another way to validate an enrollment request is to ask the CA administrator to issue a specific
password for enrollment. This can either be done manually or through a Web page at the CA. If
you are required to provide a specific password for the enrollment, you must use that password or
your enrollment will fail. If you are allowed to create your own password, be sure to remember it
because it is required if you ever wish to revoke a certificate.
CRL Retrieval
As mentioned earlier, a CRL must be retrieved for any IPSec client certificate the XSR uses for
authentication. This is done automatically by the
XSR whenever a new certificate is encountered and on a maintenance cycle that by default occurs
every 60 minutes. Depending on your CA's configuration, you may want to adjust how frequently
your maintenance task runs. Ask your CA administrator what this value should be set to.
Renewing and Revoking Certificates
A certificate has an expiration date. Additionally, certificates can be revoked at the CA before their
expiration time is reached. When a certificate expires, the XSR must be re-authenticated for CA
certificates or re-enrolled for its IPSec client certificate: this is not an automatic process.
Only the CA administrator can revoke a certificate - the password used to create the certificate
during enrollment is required to revoke it. Revoked certificates will appear in the next CRL.
Discuss these periods and strategies with your CA administrator.
DF Bit Functionality
The XSR's DF bit override feature with IPSec tunnels configures the setting of the DF bit when
encapsulating tunnel mode IPSec traffic. If the DF bit is set to clear, the XSR can fragment packets
regardless of the original DF bit setting. The DF (Don't Fragment) bit within the IP header
determines whether a router is allowed to fragment a packet.
DF Bit Functionality
XSR User's Guide 14-9
Advertisement
Table of Contents
Troubleshooting
