APIC-EM IWAN DEPLOYMENT FAILURE ERRORS: PKI-3-CERTIFICATE_INVALID and %PKI-3-SOCKETSELECT

I was recently doing some labbing of APIC-EM and IWAN deployments. I got to the point where my HUB was deployed, and then I attempted to deploy 2 branches but failed. I was getting these errors on my Routers:

PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed
%PKI-3-SOCKETSELECT: Failed to select the socket.

APIC-EM seems to deploy IWAN with PKI authenticated IKEv2 so my spokes/branches were getting stuck failing to auth and DMVPN never came up.

The resolution ended up being to just turn off the CRL check on HUB and SPOKES:

crypto pki trustpoint sdn-network-infra-iwan
revocation-check none



Leave a comment