[c-nsp] am I being bitten by this bug .CSCsw37419 (can't connect using certificates with VPN client)

David Prall dcp at dcptech.com
Thu Jan 7 19:01:03 EST 2010 

CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110, don't
know exactly what you are running with 5.x.160


--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Thursday, January 07, 2010 6:26 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
> connect using certificates with VPN client)
> 
> Hi,
> I am using a pair of ASA5520s and the Cisco VPN client (latest release
> 5.x.160)
> When I connect on the client side I see the following log entries.
> 
> 25     14:25:48.843  01/07/10  Sev=Info/6 CERT/0x63600034
> Attempting to sign the hash for Windows XP or higher.
> 
> 26     14:25:49.187  01/07/10  Sev=Info/6 CERT/0x63600035
> Done with the hash signing with signature length of 0.
> 
> 27     14:25:49.187  01/07/10  Sev=Info/4 CERT/0xE3600005
> Failed to RSA sign the hash for IKE phase 1 negotiation using my
> certificate.
> 
> 28     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to generate signature: Signature generation failed (SigUtil:97)
> 
> 29     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to build Signature payload (MsgHandlerMM:489)
> 
> 30     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE300009B
> Failed to build MM msg5 (NavigatorMM:312)
> 
> 31     14:25:49.187  01/07/10  Sev=Warning/2 IKE/0xE30000A7
> Unexpected SW error occurred while processing Identity Protection (Main
> Mode) negotiator:(Navigator:2263)
> 
> 32     14:25:49.187  01/07/10  Sev=Info/4 IKE/0x63000017
> Marking IKE SA for deletion  (I_Cookie=6473C3B48C8C1075
> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
> 
> When I googled I found mention of issues if a cert uses a 4096 bit key.
> My
> ca server has a root cert 4096 bits in length.  Have I Identified the
> problem or are there other things I should test before I have our
> windows
> admin revoke the main root cert and start creating from scratch?  We're
> in a
> testing phase for both the CA and ASA so starting over is not a big
> deal but
> before I create extra work I want to have some evidence.  Any pointers
> would
> be appreciated.
> 
> Thank you
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list