Both bugs show as Verified. The ASA bug shows as Integrated. The Client does not. Open a TAC case and have them link it to the bug, and verify if it is in the release you have. Per the bug it should be since they verified with 5.0.6.110.
-- http://dcp.dcptech.com > -----Original Message----- > From: Scott Granados [mailto:[email protected]] > Sent: Thursday, January 07, 2010 7:06 PM > To: David Prall; [email protected] > Subject: Re: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't > connect using certificates with VPN client) > > The version I'm using is > 5.0.06.0160-k9 > which is the most recent version available in the download manager. > > Thanks > Scott > > ----- Original Message ----- > From: "David Prall" <[email protected]> > To: "'Scott Granados'" <[email protected]>; <cisco- > [email protected]> > Sent: Thursday, January 07, 2010 4:01 PM > Subject: RE: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't > connect using certificates with VPN client) > > > > CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond. > > CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110, > > don't > > know exactly what you are running with 5.x.160 > > > > > > -- > > http://dcp.dcptech.com > > > > > >> -----Original Message----- > >> From: [email protected] [mailto:cisco-nsp- > >> [email protected]] On Behalf Of Scott Granados > >> Sent: Thursday, January 07, 2010 6:26 PM > >> To: [email protected] > >> Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't > >> connect using certificates with VPN client) > >> > >> Hi, > >> I am using a pair of ASA5520s and the Cisco VPN client (latest > release > >> 5.x.160) > >> When I connect on the client side I see the following log entries. > >> > >> 25 14:25:48.843 01/07/10 Sev=Info/6 CERT/0x63600034 > >> Attempting to sign the hash for Windows XP or higher. > >> > >> 26 14:25:49.187 01/07/10 Sev=Info/6 CERT/0x63600035 > >> Done with the hash signing with signature length of 0. > >> > >> 27 14:25:49.187 01/07/10 Sev=Info/4 CERT/0xE3600005 > >> Failed to RSA sign the hash for IKE phase 1 negotiation using my > >> certificate. > >> > >> 28 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B > >> Failed to generate signature: Signature generation failed > (SigUtil:97) > >> > >> 29 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B > >> Failed to build Signature payload (MsgHandlerMM:489) > >> > >> 30 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B > >> Failed to build MM msg5 (NavigatorMM:312) > >> > >> 31 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE30000A7 > >> Unexpected SW error occurred while processing Identity Protection > (Main > >> Mode) negotiator:(Navigator:2263) > >> > >> 32 14:25:49.187 01/07/10 Sev=Info/4 IKE/0x63000017 > >> Marking IKE SA for deletion (I_Cookie=6473C3B48C8C1075 > >> R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED > >> > >> When I googled I found mention of issues if a cert uses a 4096 bit > key. > >> My > >> ca server has a root cert 4096 bits in length. Have I Identified > the > >> problem or are there other things I should test before I have our > >> windows > >> admin revoke the main root cert and start creating from scratch? > We're > >> in a > >> testing phase for both the CA and ASA so starting over is not a big > >> deal but > >> before I create extra work I want to have some evidence. Any > pointers > >> would > >> be appreciated. > >> > >> Thank you > >> Scott > >> > >> _______________________________________________ > >> cisco-nsp mailing list [email protected] > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
