Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Certificate/Signature Authentication Error on ASA5500 and VPN client

Reply
Thread Tools

Certificate/Signature Authentication Error on ASA5500 and VPN client

 
 
Young
Guest
Posts: n/a
 
      01-17-2008
Hi,
I got error message when I enabled Local Certificate Authority on
ASA5500 and have client connect vpn using certificate.
I don't know is there somebody encontered the same issue on ASA5500
local certificate authority services, what I have to check base on the
error messages on ASA5500 and client end.
Any input will great appreciate!

Thank you,
Young.


ASA 5500 Debug Log

113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected.
Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0,
Reason: Unknown
713903|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Error:
Unable to remove PeerTblEntry
713902|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Removing
peer from peer table failed, no match!
713050|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address,
Connection terminated for peer . Reason: Peer Terminate Remote Proxy
N/A, Local Proxy N/A
713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received
non-routine Notify message: Authentication failed (24)
713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received
non-routine Notify message: Invalid signature (25)
717028|||Certificate chain was successfully validated with warning,
revocation status was not checked.
717022|||Certificate was successfully validated. serial number: 02,
subject name: cn=Tester.
302015|RemoteClient-IP-Address|Firewall-WAN-IP-Address|Built inbound
UDP connection 3979 for WAN:RemoteClient-IP-Address/500 (RemoteClient-
IP-Address/500) to NP Identity Ifc:Firewall-WAN-IP-Address/500
(Firewall-WAN-IP-Address/500)

Cisco VPN client log

1 Sev=Info/4 CERT/0x63600014
Cert (cn=Tester) verification succeeded.
2 Sev=Info/4 CM/0x63100002
Begin connection process
3 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
4 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
5 Sev=Info/4 CM/0x63100024
Attempt connection with server "Firewall-WAN-IP-Address"
6 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with Firewall-WAN-IP-Address.
7 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T),
VID(Frag), VID(Unity)) to Firewall-WAN-IP-Address
8 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = Firewall-WAN-IP-Address
11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Frag)) from Firewall-WAN-IP-
Address
12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to Firewall-
WAN-IP-Address
15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = Firewall-WAN-IP-Address
16 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity),
VID(Xauth), VID(?), VID(?)) from Firewall-WAN-IP-Address
17 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
18 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
19 Sev=Info/5 IKE/0x63000081
Received IOS Vendor ID with unknown capabilities flag 0x20000001
20 14:15:16.390 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
NOTIFY:STATUS_INITIAL_CONTACT) to Firewall-WAN-IP-Address
21 14:15:16.390 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address
22 14:15:16.390 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address
23 14:15:16.390 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address
24 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = Firewall-WAN-IP-Address
25 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from Firewall-WAN-IP-Address
26 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = Firewall-WAN-IP-Address
27 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from Firewall-WAN-IP-Address
28 Sev=Info/5 IKE/0x63000072
All fragments received.
29 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from Firewall-
WAN-IP-Address
30 Sev=Info/4 CERT/0x6360000F
Discarding ROOT CA cert sent from peer.
31 Sev=Info/5 IKE/0x63000001
Peer supports DPD
32 Sev=Warning/3 IKE/0xE300007B
Failed to verify signature
33 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
34 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SIGNATURE) to
Firewall-WAN-IP-Address
35 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:AUTH_FAILED) to Firewall-
WAN-IP-Address
36 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Identity Protection
(Main Mode) negotiatorNavigator:2202)
37 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=468FC2257E0280A0
R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED
38 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to Firewall-WAN-IP-Address
39 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=468FC2257E0280A0
R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED
40 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "Firewall-WAN-IP-Address"
because of "DEL_REASON_IKE_NEG_FAILED"
41 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
42 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
43 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
44 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
45 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
46 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
47 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Site to Site VPN problem between ASA5500 & 1800 router Young Cisco 2 08-22-2012 05:43 PM
ASA5500 & SSL VPN client group authorization Mike Cisco 1 01-14-2009 10:56 AM
VPN Connection thru ASA5500 Problem dave Cisco 5 01-21-2008 09:52 PM
Site to Site VPN error on Cisco ASA5500 and router 1800 Young Cisco 3 01-09-2008 02:10 PM
DHCP with ASA5500's and IDS4215's Gary Cisco 0 10-16-2006 05:19 PM



Advertisments