[c-nsp] am I being bitten by this bug .CSCsw37419 (can't connect using certificates with VPN client)

David Prall dcp at dcptech.com
Thu Jan 7 19:15:17 EST 2010


Both bugs show as Verified. The ASA bug shows as Integrated. The Client does
not. Open a TAC case and have them link it to the bug, and verify if it is
in the release you have. Per the bug it should be since they verified with
5.0.6.110. 

--
http://dcp.dcptech.com


> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Thursday, January 07, 2010 7:06 PM
> To: David Prall; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> The version I'm using is
> 5.0.06.0160-k9
> which is the most recent version available in the download manager.
> 
> Thanks
> Scott
> 
> ----- Original Message -----
> From: "David Prall" <dcp at dcptech.com>
> To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-
> nsp at puck.nether.net>
> Sent: Thursday, January 07, 2010 4:01 PM
> Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> 
> > CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
> > CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110,
> > don't
> > know exactly what you are running with 5.x.160
> >
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> >> bounces at puck.nether.net] On Behalf Of Scott Granados
> >> Sent: Thursday, January 07, 2010 6:26 PM
> >> To: cisco-nsp at puck.nether.net
> >> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> >> connect using certificates with VPN client)
> >>
> >> Hi,
> >> I am using a pair of ASA5520s and the Cisco VPN client (latest
> release
> >> 5.x.160)
> >> When I connect on the client side I see the following log entries.
> >>
> >> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
> >> Attempting to sign the hash for Windows XP or higher.
> >>
> >> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
> >> Done with the hash signing with signature length of 0.
> >>
> >> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
> >> Failed to RSA sign the hash for IKE phase 1 negotiation using my
> >> certificate.
> >>
> >> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to generate signature: Signature generation failed
> (SigUtil:97)
> >>
> >> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to build Signature payload (MsgHandlerMM:489)
> >>
> >> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> >> Failed to build MM msg5 (NavigatorMM:312)
> >>
> >> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
> >> Unexpected SW error occurred while processing Identity Protection
> (Main
> >> Mode) negotiator:(Navigator:2263)
> >>
> >> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
> >> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
> >> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
> >>
> >> When I googled I found mention of issues if a cert uses a 4096 bit
> key.
> >> My
> >> ca server has a root cert 4096 bits in length.  Have I Identified
> the
> >> problem or are there other things I should test before I have our
> >> windows
> >> admin revoke the main root cert and start creating from scratch?
> We're
> >> in a
> >> testing phase for both the CA and ASA so starting over is not a big
> >> deal but
> >> before I create extra work I want to have some evidence.  Any
> pointers
> >> would
> >> be appreciated.
> >>
> >> Thank you
> >> Scott
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >



More information about the cisco-nsp mailing list