The version I'm using is
5.0.06.0160-k9
which is the most recent version available in the download manager.
Thanks
Scott
----- Original Message -----
From: "David Prall" <[email protected]>
To: "'Scott Granados'" <[email protected]>; <[email protected]>
Sent: Thursday, January 07, 2010 4:01 PM
Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
connect using certificates with VPN client)
CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond.
CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110,
don't
know exactly what you are running with 5.x.160
--
http://dcp.dcptech.com
-----Original Message-----
From: [email protected] [mailto:cisco-nsp-
[email protected]] On Behalf Of Scott Granados
Sent: Thursday, January 07, 2010 6:26 PM
To: [email protected]
Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't
connect using certificates with VPN client)
Hi,
I am using a pair of ASA5520s and the Cisco VPN client (latest release
5.x.160)
When I connect on the client side I see the following log entries.
25 14:25:48.843 01/07/10 Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.
26 14:25:49.187 01/07/10 Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 0.
27 14:25:49.187 01/07/10 Sev=Info/4 CERT/0xE3600005
Failed to RSA sign the hash for IKE phase 1 negotiation using my
certificate.
28 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)
29 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)
30 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)
31 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main
Mode) negotiator:(Navigator:2263)
32 14:25:49.187 01/07/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=6473C3B48C8C1075
R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED
When I googled I found mention of issues if a cert uses a 4096 bit key.
My
ca server has a root cert 4096 bits in length. Have I Identified the
problem or are there other things I should test before I have our
windows
admin revoke the main root cert and start creating from scratch? We're
in a
testing phase for both the CA and ASA so starting over is not a big
deal but
before I create extra work I want to have some evidence. Any pointers
would
be appreciated.
Thank you
Scott
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
