[c-nsp] am I being bitten by this bug .CSCsw37419 (can't connect using certificates with VPN client)
Scott Granados
gsgranados at comcast.net
Thu Jan 7 18:26:16 EST 2010
Hi,
I am using a pair of ASA5520s and the Cisco VPN client (latest release
5.x.160)
When I connect on the client side I see the following log entries.
25 14:25:48.843 01/07/10 Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.
26 14:25:49.187 01/07/10 Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 0.
27 14:25:49.187 01/07/10 Sev=Info/4 CERT/0xE3600005
Failed to RSA sign the hash for IKE phase 1 negotiation using my
certificate.
28 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)
29 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)
30 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)
31 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main
Mode) negotiator:(Navigator:2263)
32 14:25:49.187 01/07/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=6473C3B48C8C1075
R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
When I googled I found mention of issues if a cert uses a 4096 bit key. My
ca server has a root cert 4096 bits in length. Have I Identified the
problem or are there other things I should test before I have our windows
admin revoke the main root cert and start creating from scratch? We're in a
testing phase for both the CA and ASA so starting over is not a big deal but
before I create extra work I want to have some evidence. Any pointers would
be appreciated.
Thank you
Scott
More information about the cisco-nsp
mailing list