CSCei52413 is the ASA/PIX issue. Should be in 7.0(4) and beyond. CSCsw37419 is the client issue. It is fixed in code beyond 5.0.6.110, don't know exactly what you are running with 5.x.160
-- http://dcp.dcptech.com > -----Original Message----- > From: [email protected] [mailto:cisco-nsp- > [email protected]] On Behalf Of Scott Granados > Sent: Thursday, January 07, 2010 6:26 PM > To: [email protected] > Subject: [c-nsp] am I being bitten by this bug .CSCsw37419 (can't > connect using certificates with VPN client) > > Hi, > I am using a pair of ASA5520s and the Cisco VPN client (latest release > 5.x.160) > When I connect on the client side I see the following log entries. > > 25 14:25:48.843 01/07/10 Sev=Info/6 CERT/0x63600034 > Attempting to sign the hash for Windows XP or higher. > > 26 14:25:49.187 01/07/10 Sev=Info/6 CERT/0x63600035 > Done with the hash signing with signature length of 0. > > 27 14:25:49.187 01/07/10 Sev=Info/4 CERT/0xE3600005 > Failed to RSA sign the hash for IKE phase 1 negotiation using my > certificate. > > 28 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B > Failed to generate signature: Signature generation failed (SigUtil:97) > > 29 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B > Failed to build Signature payload (MsgHandlerMM:489) > > 30 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE300009B > Failed to build MM msg5 (NavigatorMM:312) > > 31 14:25:49.187 01/07/10 Sev=Warning/2 IKE/0xE30000A7 > Unexpected SW error occurred while processing Identity Protection (Main > Mode) negotiator:(Navigator:2263) > > 32 14:25:49.187 01/07/10 Sev=Info/4 IKE/0x63000017 > Marking IKE SA for deletion (I_Cookie=6473C3B48C8C1075 > R_Cookie=9EBD9CB7CEFA7EC2) reason = DEL_REASON_IKE_NEG_FAILED > > When I googled I found mention of issues if a cert uses a 4096 bit key. > My > ca server has a root cert 4096 bits in length. Have I Identified the > problem or are there other things I should test before I have our > windows > admin revoke the main root cert and start creating from scratch? We're > in a > testing phase for both the CA and ASA so starting over is not a big > deal but > before I create extra work I want to have some evidence. Any pointers > would > be appreciated. > > Thank you > Scott > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
