Certificate/Signature Authentication Error on ASA5500 and VPN client
in [Cisco]
|
From: Young on 17 Jan 2008 16:21 Hi, I got error message when I enabled Local Certificate Authority on ASA5500 and have client connect vpn using certificate. I don't know is there somebody encontered the same issue on ASA5500 local certificate authority services, what I have to check base on the error messages on ASA5500 and client end. Any input will great appreciate! Thank you, Young. ASA 5500 Debug Log 113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown 713903|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Error: Unable to remove PeerTblEntry 713902|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Removing peer from peer table failed, no match! 713050|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Connection terminated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A 713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received non-routine Notify message: Authentication failed (24) 713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received non-routine Notify message: Invalid signature (25) 717028|||Certificate chain was successfully validated with warning, revocation status was not checked. 717022|||Certificate was successfully validated. serial number: 02, subject name: cn=Tester. 302015|RemoteClient-IP-Address|Firewall-WAN-IP-Address|Built inbound UDP connection 3979 for WAN:RemoteClient-IP-Address/500 (RemoteClient- IP-Address/500) to NP Identity Ifc:Firewall-WAN-IP-Address/500 (Firewall-WAN-IP-Address/500) Cisco VPN client log 1 Sev=Info/4 CERT/0x63600014 Cert (cn=Tester) verification succeeded. 2 Sev=Info/4 CM/0x63100002 Begin connection process 3 Sev=Info/4 CVPND/0xE3400001 Microsoft IPSec Policy Agent service stopped successfully 4 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 5 Sev=Info/4 CM/0x63100024 Attempt connection with server "Firewall-WAN-IP-Address" 6 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with Firewall-WAN-IP-Address. 7 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to Firewall-WAN-IP-Address 8 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 9 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 10 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = Firewall-WAN-IP-Address 11 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (SA, VID(Frag)) from Firewall-WAN-IP- Address 12 Sev=Info/5 IKE/0x63000001 Peer supports IKE fragmentation payloads 13 Sev=Info/6 IKE/0x63000001 IOS Vendor ID Contruction successful 14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to Firewall- WAN-IP-Address 15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = Firewall-WAN-IP-Address 16 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?)) from Firewall-WAN-IP-Address 17 Sev=Info/5 IKE/0x63000001 Peer is a Cisco-Unity compliant peer 18 Sev=Info/5 IKE/0x63000001 Peer supports XAUTH 19 Sev=Info/5 IKE/0x63000081 Received IOS Vendor ID with unknown capabilities flag 0x20000001 20 14:15:16.390 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to Firewall-WAN-IP-Address 21 14:15:16.390 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address 22 14:15:16.390 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address 23 14:15:16.390 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address 24 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = Firewall-WAN-IP-Address 25 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (FRAG) from Firewall-WAN-IP-Address 26 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = Firewall-WAN-IP-Address 27 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (FRAG) from Firewall-WAN-IP-Address 28 Sev=Info/5 IKE/0x63000072 All fragments received. 29 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from Firewall- WAN-IP-Address 30 Sev=Info/4 CERT/0x6360000F Discarding ROOT CA cert sent from peer. 31 Sev=Info/5 IKE/0x63000001 Peer supports DPD 32 Sev=Warning/3 IKE/0xE300007B Failed to verify signature 33 Sev=Warning/2 IKE/0xE3000099 Failed to authenticate peer (Navigator:904) 34 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SIGNATURE) to Firewall-WAN-IP-Address 35 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:AUTH_FAILED) to Firewall- WAN-IP-Address 36 Sev=Warning/2 IKE/0xE30000A5 Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2202) 37 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=468FC2257E0280A0 R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED 38 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to Firewall-WAN-IP-Address 39 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=468FC2257E0280A0 R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED 40 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "Firewall-WAN-IP-Address" because of "DEL_REASON_IKE_NEG_FAILED" 41 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 42 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection 43 Sev=Info/4 IKE/0x63000085 Microsoft IPSec Policy Agent service started successfully 44 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 45 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 46 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 47 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped
|
Pages: 1 Prev: Cisco 1841 and SDSL WIC Card Next: Change Routing Protocol DSCP from CS6 to AF41... |