[c-nsp] am I being bitten by this bug .CSCsw37419 (can't connect using certificates with VPN client)
Scott Granados
gsgranados at comcast.net
Thu Jan 7 19:06:14 EST 2010
The version I'm using is
5.0.06.0160-k9
which is the most recent version available in the download manager.
Thanks
Scott
----- Original Message -----
From: "David Prall" <dcp at dcptech.com>
To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Thursday, January 07, 2010 4:01 PM
Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
connect using certificates with VPN client)
> CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
> CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110,
> don't
> know exactly what you are running with 5.x.160
>
>
> --
> http://dcp.dcptech.com
>
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Scott Granados
>> Sent: Thursday, January 07, 2010 6:26 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
>> connect using certificates with VPN client)
>>
>> Hi,
>> I am using a pair of ASA5520s and the Cisco VPN client (latest release
>> 5.x.160)
>> When I connect on the client side I see the following log entries.
>>
>> 25 14:25:48.843 01/07/10 Sev=Info/6 CERT/0x63600034
>> Attempting to sign the hash for Windows XP or higher.
>>
>> 26 14:25:49.187 01/07/10 Sev=Info/6 CERT/0x63600035
>> Done with the hash signing with signature length of 0.
>>
>> 27 14:25:49.187 01/07/10 Sev=Info/4 CERT/0xE3600005
>> Failed to RSA sign the hash for IKE phase 1 negotiation using my
>> certificate.
>>
>> 28 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
>> Failed to generate signature: Signature generation failed (SigUtil:97)
>>
>> 29 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
>> Failed to build Signature payload (MsgHandlerMM:489)
>>
>> 30 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
>> Failed to build MM msg5 (NavigatorMM:312)
>>
>> 31 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE30000A7
>> Unexpected SW error occurred while processing Identity Protection (Main
>> Mode) negotiator:(Navigator:2263)
>>
>> 32 14:25:49.187 01/07/10 Sev=Info/4 IKE/0x63000017
>> Marking IKE SA for deletion (I_Cookie=6473C3B48C8C1075
>> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
>>
>> When I googled I found mention of issues if a cert uses a 4096 bit key.
>> My
>> ca server has a root cert 4096 bits in length. Have I Identified the
>> problem or are there other things I should test before I have our
>> windows
>> admin revoke the main root cert and start creating from scratch? We're
>> in a
>> testing phase for both the CA and ASA so starting over is not a big
>> deal but
>> before I create extra work I want to have some evidence. Any pointers
>> would
>> be appreciated.
>>
>> Thank you
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list