Certificate/Signature Authentication Error on ASA5500 and VPN client

Discussion in 'Cisco' started by Young, Jan 17, 2008.

  1. Young

    Young Guest

    Hi,
    I got error message when I enabled Local Certificate Authority on
    ASA5500 and have client connect vpn using certificate.
    I don't know is there somebody encontered the same issue on ASA5500
    local certificate authority services, what I have to check base on the
    error messages on ASA5500 and client end.
    Any input will great appreciate!

    Thank you,
    Young.


    ASA 5500 Debug Log

    113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected.
    Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0,
    Reason: Unknown
    713903|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Error:
    Unable to remove PeerTblEntry
    713902|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Removing
    peer from peer table failed, no match!
    713050|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address,
    Connection terminated for peer . Reason: Peer Terminate Remote Proxy
    N/A, Local Proxy N/A
    713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received
    non-routine Notify message: Authentication failed (24)
    713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received
    non-routine Notify message: Invalid signature (25)
    717028|||Certificate chain was successfully validated with warning,
    revocation status was not checked.
    717022|||Certificate was successfully validated. serial number: 02,
    subject name: cn=Tester.
    302015|RemoteClient-IP-Address|Firewall-WAN-IP-Address|Built inbound
    UDP connection 3979 for WAN:RemoteClient-IP-Address/500 (RemoteClient-
    IP-Address/500) to NP Identity Ifc:Firewall-WAN-IP-Address/500
    (Firewall-WAN-IP-Address/500)

    Cisco VPN client log

    1 Sev=Info/4 CERT/0x63600014
    Cert (cn=Tester) verification succeeded.
    2 Sev=Info/4 CM/0x63100002
    Begin connection process
    3 Sev=Info/4 CVPND/0xE3400001
    Microsoft IPSec Policy Agent service stopped successfully
    4 Sev=Info/4 CM/0x63100004
    Establish secure connection using Ethernet
    5 Sev=Info/4 CM/0x63100024
    Attempt connection with server "Firewall-WAN-IP-Address"
    6 Sev=Info/6 IKE/0x6300003B
    Attempting to establish a connection with Firewall-WAN-IP-Address.
    7 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T),
    VID(Frag), VID(Unity)) to Firewall-WAN-IP-Address
    8 Sev=Info/4 IPSEC/0x63700008
    IPSec driver successfully started
    9 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    10 Sev=Info/5 IKE/0x6300002F
    Received ISAKMP packet: peer = Firewall-WAN-IP-Address
    11 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK MM (SA, VID(Frag)) from Firewall-WAN-IP-
    Address
    12 Sev=Info/5 IKE/0x63000001
    Peer supports IKE fragmentation payloads
    13 Sev=Info/6 IKE/0x63000001
    IOS Vendor ID Contruction successful
    14 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to Firewall-
    WAN-IP-Address
    15 Sev=Info/5 IKE/0x6300002F
    Received ISAKMP packet: peer = Firewall-WAN-IP-Address
    16 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity),
    VID(Xauth), VID(?), VID(?)) from Firewall-WAN-IP-Address
    17 Sev=Info/5 IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    18 Sev=Info/5 IKE/0x63000001
    Peer supports XAUTH
    19 Sev=Info/5 IKE/0x63000081
    Received IOS Vendor ID with unknown capabilities flag 0x20000001
    20 14:15:16.390 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
    NOTIFY:STATUS_INITIAL_CONTACT) to Firewall-WAN-IP-Address
    21 14:15:16.390 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address
    22 14:15:16.390 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address
    23 14:15:16.390 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address
    24 Sev=Info/5 IKE/0x6300002F
    Received ISAKMP packet: peer = Firewall-WAN-IP-Address
    25 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK MM (FRAG) from Firewall-WAN-IP-Address
    26 Sev=Info/5 IKE/0x6300002F
    Received ISAKMP packet: peer = Firewall-WAN-IP-Address
    27 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK MM (FRAG) from Firewall-WAN-IP-Address
    28 Sev=Info/5 IKE/0x63000072
    All fragments received.
    29 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from Firewall-
    WAN-IP-Address
    30 Sev=Info/4 CERT/0x6360000F
    Discarding ROOT CA cert sent from peer.
    31 Sev=Info/5 IKE/0x63000001
    Peer supports DPD
    32 Sev=Warning/3 IKE/0xE300007B
    Failed to verify signature
    33 Sev=Warning/2 IKE/0xE3000099
    Failed to authenticate peer (Navigator:904)
    34 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SIGNATURE) to
    Firewall-WAN-IP-Address
    35 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:AUTH_FAILED) to Firewall-
    WAN-IP-Address
    36 Sev=Warning/2 IKE/0xE30000A5
    Unexpected SW error occurred while processing Identity Protection
    (Main Mode) negotiator:(Navigator:2202)
    37 Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion (I_Cookie=468FC2257E0280A0
    R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED
    38 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to Firewall-WAN-IP-Address
    39 Sev=Info/4 IKE/0x6300004A
    Discarding IKE SA negotiation (I_Cookie=468FC2257E0280A0
    R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED
    40 Sev=Info/4 CM/0x63100014
    Unable to establish Phase 1 SA with server "Firewall-WAN-IP-Address"
    because of "DEL_REASON_IKE_NEG_FAILED"
    41 Sev=Info/5 CM/0x63100025
    Initializing CVPNDrv
    42 Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection
    43 Sev=Info/4 IKE/0x63000085
    Microsoft IPSec Policy Agent service started successfully
    44 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    45 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    46 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    47 Sev=Info/4 IPSEC/0x6370000A
    IPSec driver successfully stopped
     
    Young, Jan 17, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guy
    Replies:
    0
    Views:
    437
  2. DCS
    Replies:
    2
    Views:
    5,101
    eshan_amiran
    Mar 26, 2009
  3. Replies:
    0
    Views:
    3,750
  4. Young
    Replies:
    3
    Views:
    7,719
    CeykoVer
    Jan 9, 2008
  5. Mike
    Replies:
    1
    Views:
    671
    Jacques Virchaux
    Jan 14, 2009
Loading...

Share This Page