EXPWYC Traversal Zone TLS negotiation Failed

Enter the Fully Qualified Domain Name (FQDN) of the traversal server. If you are using secure traversal, then this value must be either the Common Name or one of the Subject Alternate Names on the traversal server's certificate. IP addresses or hostnames are therefore not recommended.
If the traversal server is a cluster of Expressway-Es, this is the FQDN of one of the peers in that cluster.
Range: 0 to 255 characters
Hello,
I have an issue with EPWYC Traversal Zone once I configured it and saved I got the following issue:
SIP: Failed to connect to (IP<x.x.x.x>):7001 : Connect failed
what could be the reason for this. where to look ?
Thanks all

You can try the following.
1 First try and confirm network reachability to the Lan facing ethernet interface of the Exp-e. You can use the Ping, traceroute tools also try pinging the hostname of the expressway-e(This should help you check you have the correct DNS records) it should resolve to the internal IP.
2 You should look in the 1st DMZ , the Cisco Expressway guide provides ports that are required to be open or mapped(http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Basic-Configuration-Deployment-Guide-X8-1.pdf). Kindly make sure yours are.
3 If the above are fine you should make sure you have configured the Traversal Zone on the EXP-E to also use the same port as you did on the EXP-C.
4 You can look at status - logs - network logs to see network data.

Similar Messages

  • VCS' certificates for transversal zone / unable to to connect to server TLS negotiation failure

    Hi,
    I am trying to connect two traversal zones VCSE as a server and VCSC as a client but i am having the next error:
    VCSE:
    tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.1.1.1" Src-port="25234" Dst-ip="10.1.1.10" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2015-01-28 18:51:09,080"
    VCSC:
    2015-01-28T14:32:09-04:30tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="192.168.1.2" Src-port="25267" Dst-ip="10.1.1.10" Dst-port="7001" Detail="unable to get local issuer certificate" Protocol="TLS" Common-name="name-vcse.myname.com" Level="1" UTCTime="2015-01-28 19:02:09,081"
    I follow the steps in this document: "http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-2/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-2.pdf" and trying with Windows Server Authentication and Client Authentication and with OpenSSL but have the same results.
    In my firewall i can telnet the 10.1.1.10 port 7001 and also from a device from the network 192.168.1.0 to 10.1.1.10 port 7001 (not firewall issues i think)
    Also i tested the certificate in my VCSC and get the following error:
    Invalid: The client certificate is not signed by a CA in the trusted CA list. 
    Any ideas?
    Regards,

    Anthony,
    You're missing the Certificate Authority certificate who signed one of the servers certs. Presumably what is missing is the CA (root) certificate that signed the Expressway-E's cert. Here is a general rule of thumb.
    The certificate of the signer of the VCS-C/Expressway-C certificate should be present on the VCS-E/Expressway-E under the Trusted CA section.
    The certificate of the signer of the VCS-E/Expressway-E certificate should be present on the VCS-CExpressway-C under the Trusted CA section.
    it's not uncommon that you could be dealing with a condition where one of the servers certs was signed by an intermediate. If this is the case you simply just need to follow the chain of the certificates and make sure they are all included within the Trusted CA list on the respective server. The main thing to look at with the certificates are the Common Names of the Subject and Issuer. Below is an example of a fake certificate.
    VCS-E/Expressway-E Cert
    Issuer: CN=RootCAIntermediate – G5     <-- Signer
    Subject: CN=Expressway-E.domain.com
    RootCAIntermediate –G5 Certificate
    Issuer: CN=RootCAIntermediate Trust    <-- Signer
    Subject: CN=RootCAIntermediate – G5
    RootCAIntermediate Trust
    Issuer: CN=RootCA   <-- Signer
    Subject: CN=RootCAIntermediate Trust
    RootCA Certificate
    Issuer: CN=RootCA   <-- Signer
    Subject: CN=RootCA
    If you are missing anyone of these, you will get the unknown CA error. When the RootCA (The real root) is uploaded to the VCS/Expressway server it’s Issuer will be RootCA and the Subject will be “Matches Issuer”.
    I hope this can help you.
    -P

  • Exp neighbor zone TLS error

    I'm trying to create a TLS neighbor zone between Exp-C and Jabber Guest.  I have my own internal CA signed certs on JG and Exp, but TLS is failing and Exp is throwing this error in the logs: No SSL error available, probably remote disconnect.  TCP works fine.  I've generated the CSR twice for JG and rebooted twice as well.  Not sure what is going on.  Thanks,  Mike

    Ah, needed to read a little further in the JG install guide :)  I forgot to upload the CA root cert.  I would recommend adding this step to the install guide prior to configuring the neighbor zone on the expressway (or at least a note about it).  Then the neighbor zone won't error out.

  • Polycom CX600 The connection was closed before TLS negotiation completed

    Hello guys,
    I'm trying to login with cx600 at a remote location on a SBA SBA but the log is showing the following message
    The connection was closed before TLS negotiation completed .
    Did the remote peer accept our certificate ?
    scenario :
    Offline CA : OfflineIssueCA
    Subordinate CA : DomainIssueCA
    AD DOMAIN : domain.local
    SIP DOMAIN : domainA.com
    SIP DOMAIN : domainB.com
    Pool: pool01.domain.local
    SBA : mysba.domain.local
    SBA Certificate :
    SN : mysba.domain.local
    SAN : sip.domainA.com
    SAN : sip.domainB.com
    DNS :
    sip.domainA.com => ip of mysba.domain.local
    _sipinternaltls._tcp.domainA.com => sip.domainA.com
    DHCP :
    option offer 120 mysba.domain.local
    option offer 43 https://pool01.domain.local:443/CertProv/CertProvisioningService.svc
    Checking the log LPE I see the following error most often :
    ERROR :: :: OUTGOING_TRANSACTION OnRequestConnectionConnectComplete - connection failed error 80ee0065
    And the SBA log SIPStack :
    The connection was closed before TLS negotiation completed .
    Did the remote peer accept our certificate ?
    I believe that the phone is not downloading the chain of private certificate :
    ? = © K € ª Æ DUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 05/28/2014 | 04:50:30.885
    C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( DER .
    ) succeeded hr = 0x0
    ROMK € Yi DUCD_LOG_ERROR : ? 28/05/2014 | 04:50:30 Aries : 28/05/2014
    | 04:50:30.886 C4000A : 5C02336 CLogOnManager :: ERROR :: HandleCertEvent : CertInstaller gave callback with Error
    code = 5
    Æ D | K € kHžDUCD_LOG_INFO : ? 28/05/2014 | 04:50:30 Aries :
    05/28/2014 | 04:50:30.907 C4000A : 5C02336 :: INFO :: CCertInstaller AddSingleCerttoStore : Adding Single Certificate Successful
    = © K € OžDUCD_LOG_INFO : 05/28/2014 | 04:50:30 Aries : 05/28/2014 |
    04:50:30.908 C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( . RSP) succeeded
    hr = 0x0
    ROMK € mSžDUCD_LOG_ERROR : 05/28/2014 | 04:50:30 Aries :
    28/05/2014 | 04:50:30.908 C4000A : 5C02336 CLogOnManager :: ERROR :: HandleCertEvent : CertInstaller gave callback with Error code = 5
    : O | K € øËžDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 28/05/2014
    | 04:50:30.928 C4000A : 5C02336 :: INFO :: CCertInstaller AddSingleCerttoStore : Adding Single Certificate Successful
    = © K € ¥ ÒžDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 28/05/2014
    | 04:50:30.929 C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( . RSP) succeeded
    hr = 0x0
    ROMK € ñÖžDUCD_LOG_ERROR : 05/28/2014 | 04:50:30 Aries :
    05/28/2014 | 04:50:30.930 C4000A : 5C02336 CLogOnManager :: ERROR :: HandleCertEvent : CertInstaller gave callback with Error code = 5
    : O | K € OŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 05/28/2014
    | 04:50:30.950 C4000A : 5C02336 :: INFO :: CCertInstaller AddSingleCerttoStore : Adding Single Certificate Successful
    = © K € UŸDUCD_LOG_INFO : 05/28/2014 | 04:50:30 Aries : 28/05/2014
    | 04:50:30.951 C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( . RSP) succeeded hr
    = 0x0
    rom € ¸ ¶ K tŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30
    Aries : 28/05/2014 | 04:50:30.956 C4000A : 5520002 :: INFO :: CLogOnManager OnCertStatusEvent : Received notification from CertInstaller with state
    = 0x5
    G_ck € ™ zŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30
    Aries : 05/28/2014 | 04:50:30.957 C4000A : 5520002 :: INFO :: CCertStateImplementor HandleCertEvents : Received Status event from CertInstaller event from
    cert installer
    4th K € | ŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 05/28/2014
    | 04:50:30.957 C4000A : 5520002 :: INFO :: CLogOnScreen OnCertInstallerStateChange : OnCertInstallerStateChange status = 5
    Robson Hasselhoff - Follow me @Robk9e

    Log in below to connect sip.domainA.com:
    �é�K€®ËÃ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.693 5510002:5520002 INFO  :: SockMgr: Create New Connection:DestName:(sip.domainA.com)DestPort:(5061)Transport:(2)httpTunnel:(0)TLS RemotePrincipalName:(sip.domainA.com)
    � (0¯�K€ãÃ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.696 5510002:5520002 INFO  :: CSIPCompressor::Initialize - Compression setting 1, threshold 128000, timeout 5000
    �)Ì�K€™óÃ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.699 5510002:5520002 INFO  :: CSIPAsyncSocket::Connect 00CCD6A0 connecting(async) window 7003B800 socket:00000F8D DestAddr:10.145.53.115:5061
    �¬�K€ºaÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.717 5510002:56A000A ERROR :: SECURE_SOCKET: negotiation failed: 80090327, principal name: [sip.domainA.com]
    �Ù�K€!fÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.718 5510002:5520002 ERROR :: CSIPTransportLayerSecurity::OnTlsNegotiationComplete (ccd720) failed with 0x80ee0065. Raising OnConnect with the same error
    �p.e—�K€¶hÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.718 5510002:5520002 ERROR :: CSIPClientConnection::OnConnect (80ee0065) this: 00CCD540
    �0Ï�K€£jÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.719 5510002:5520002 INFO  :: SIP_MSG_PROCESSOR::OnRequestConnectionConnectComplete - Enter this: 00CCC1E0, callid=(null), ErrorCode: 0x80ee0065
    �i�K€ýkÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.719 5510002:5520002 ERROR :: Releasing connection and notifying transactions
    �t t©�K€RmÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.719 5510002:5520002 ERROR :: SIP_MSG_PROCESSOR::NotifyRequestConnectionConnectComplete - Error: 80ee0065
    �ca ¹�K€pˆÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 ERROR :: OUTGOING_TRANSACTION::OnRequestConnectionConnectComplete - connection failed error 80ee0065
    �07:~�K€Ö‰Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 INFO  :: REGISTER_CONTEXT:State (4) => (5)
    �CC—�K€X‹Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 INFO  :: REGISTER_CONTEXT(ccc1e0) SetAndNotify Recv(6) at State (5)
    �c~�K€¿ŽÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 INFO  :: REGISTER_CONTEXT:State (5) => (6)
    �nez�K€ Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.725 5510002:5520002 INFO  :: SIP_REGISTER:State (1) => (0)
    �72–�K€ª”Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.726 5510002:5520002 INFO  :: Function: CUccServiceOperationManager::DisableServManager
    �  Ž�K€º–Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.726 5510002:5520002 INFO  :: Function: CUccServerEndpoint::UpdateEndpointState
    � 0“�K€ãšÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.726 5510002:5520002 ERROR :: HRESULT API failed: 80ee0061 = hr. DisableServManager
    �O«�K€nœÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.727 5510002:5520002 INFO  :: CUccDnsResolverManager::Stop MR-INFO - [00CC7C10] DNS resolver manager stopped
    �5y�K€µŸÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.728 5510002:5520002 INFO  :: ~Out trxn corr-id (00CCD000)
    �= hç�K€Ä¥Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.728 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[133] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
    �tç�K€˜§Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.729 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[133] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
    �5ç�K€T©Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.729 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[133] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
    �Rç�K€«Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.729 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[101] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
    �5¶�K€m¯Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.730 5510002:5520002 ERROR :: NModel::CBaseLogonSession::OnEnable: Logon failed with UCCP status/diag code 0x80ee0065/0
    � :K€m·Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.731 5510002:5520002 INFO  :: NModel::CManagedCredential::SetResult: Logon success state 0 reported by user id=0 (adjusted=0) on CManagedCredential[SPECIFIC this=00AD1E40, domain=intranet.local,
    userName=robson.carvalho]
    �et¶�K€ÙºÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.732 5510002:5520002 ERROR :: CServerConfigModel::LoadValue: UCCP object is not received yet. groupIndex=0, hr=80ee0061
    �esÈ�K€%½Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.732 5510002:5520002 INFO  :: NModel::CLogonServerStatistic::SetResult: CLogonServerStatistic::SetResult sip.domainA.com:5061/3 0x80ee0065
    �¼�K€AÀÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.733 5510002:5520002 INFO  :: NModel::CLogonServerStatistic::ClearDedicatedServer: CLogonServerStatistic::ClearDedicatedServer
    �©�K€ÅÉÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.734 5510002:5520002 INFO  :: NModel::CBaseLogonSession::DeactivateRecoveryMode: Recovery mode switched off
    �) f|�K€¦ÌÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.735 5510002:5520002 INFO  :: Function: CUccEndpoint::Disable
    �©�K€&ÑÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.736 5510002:5520002 INFO  :: NModel::CBaseLogonSession::DeactivateRecoveryMode: Recovery mode switched off
    �07:ª�K€ËÙÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.737 5510002:5520002 INFO  :: CCallManager::OnEvent: CCallManager::OnEvent - Received logon-session event 0.
    �=0ñ�K€PÜÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.737 5510002:5520002 INFO  :: NModel::CComponentLifecycleManager::NotifyComponentStateChanged: CLM received state change event of component 'LogonSession', reporting state STOPPED
    �jecÎ�K€dÞÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.738 5510002:5520002 ERROR :: NModel::CComponentDetails::SetStatusInfo: Component LogonSession reports error code 0x80ee0065 (no auto-recovery)
    �:S2K€æñÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.739 5510002:5520002 INFO  :: NModel::CBaseLogonSession::OnEnable:
    Received server response:
       status/diag code=0x80ee0065/0
       clientVersionCheckResult=0
       upgradeUrl=
       authWebServiceBaseUrl=
       currentAuthMode=0
       supportedAuthModes=0
       isTlsDskSupported=0
       Reporting credential success 80ee0065
       Reporting server success 80ee0065
       updatedServerName=sip.domainA.com:5061
       updatedTransportMode=3
       isClientVersionCheckError=0
       isServerVersionCheckError=0
       isConnectionError=1
       isRootCertError=0
       isAuthError=0
       isTlsDskError=0
       isKerberosError=1
       isUserCredError=0
       isProxyCredError=0
       isErrorWithCache=0
       isNtlmMismatch=0
       isServerCertInvalid=1
       shouldResetAllowedAuthModes=0
       current allowedAuthModes=12
       new allowedAuthModes=0
    No further alternate server available or SVF/CVF error!
       autoRetryByErrorCode=1
       withRescheduleHint=0
       withAutoRetrials=0
       Login failed with permanent error or no auto-retrials
       Recovery mode switched off
       newState=LOGGED_OUT
    Robson Hasselhoff - Follow me @Robk9e

  • Expressway Traversal Zone

    Hi,
    we are setting a lab environment on expressway C and E and it is a single nic NAT scenario. We have configured Traversal zone client and server it was fine and in active state. but while configuring a unified communication traversal zone it is getting failed. Any help.
    Regards
    Sakthivel C

    Hi,
    Would need a bit more information.  What is the error displayed on the Client side under status for the zone?
    What errors are shown in the event log of the Expressway E and the Expressway C?
    -Jonathan

  • Hello, Does anybody know HOW to programming TLS negotiation using WINHTTP in Windows 8.1?

    Hello 
    I made a program using WINHTTP . I had a question blow...
    "I tried to wireshark capture network traffic when connecting to that SERVER using 'IE browser'. First
    client_hello message does not include RC4 with TLS ver1.0. But next client_hello message include RC4 with TLS ver1.0.  Because that SERVER only supports RC4 cipher in TLS 1.0(no SSL3.0). I think
    windows 8.1 automatically modify cipher suite. "
    I just had a answer from someone . It is a new function in windows 8.1. It's called "Application protocol
    negotiation" in Windows 8.1. 
    so, I wonder about ... Is it possible to programming disable negotiation function? It means .. I want first
    client_hello message has RC4 cipher. Because when i WINHTTP function, client_hello message does not include RC4 cipher in TLS 1.0. 
    Can i include RC4 cipher in TLS 1.0 using WINHTTP function? or can i programming TLS negotiation using
    WINHTTP? is it possible? or not?
    please hellp me. 

    Hello . 
    Thank you for your answer. It was helpful. But i have some question.
    I added blow source code . But it didn't work. i mean .. TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5 cipher
    added to the top of the prioritized list. But Client_Hello message didn't include that cipher.
     Only Windows 8.1(testpc) does not work.
    I don't know why...  
    SECURITY_STATUS Status = ERROR_SUCCESS;
    LPWSTR wszCipher = (L"TLS_RSA_WITH_RC4_128_SHA");
    LPWSTR wszCipher2 = (L"TLS_RSA_WITH_RC4_128_MD5");
    Status = BCryptAddContextFunction(
    CRYPT_LOCAL,
    L"SSL",
    NCRYPT_SCHANNEL_INTERFACE,
    wszCipher,
    CRYPT_PRIORITY_TOP);
    Status = BCryptAddContextFunction(
    CRYPT_LOCAL,
    L"SSL",
    NCRYPT_SCHANNEL_INTERFACE,
    wszCipher2,
    CRYPT_PRIORITY_TOP);

  • Wireless ISE - 12508 EAP-TLS handshake failed

    Hi guys,
    I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
    Authentication failed : 12508 EAP-TLS handshake failed
    OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
    Setup:
    - Single standalone ISE 3355 appliance
    - Two tier MS enterprise PKI (outside of my direct control)
    - WLC 5508
    - Windows 7 laptop\
    - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
    - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
    Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
    This is what TAC came back with, but none of the workarounds helped
    Symptom:
    ========
    EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
    Conditions:
    =========
    EAP-TLS certificate based authentications ISE 1.1.2.145
    Workaround:
    ===========
    1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

    Hi Amjad,
    Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
    Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
    The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
    Cheers,
    Owen

  • Eap tls authentication fails if bluetooth device connected

    Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
    Has anyone come across this elsewhere?
    Thanks

    I have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.

  • Nokia E5-00: Time zone Vietnam has failed in Firmw...

    I 'm using Nokia E5-00 phone (RM-632) with Firmware 042.007. This firmware has a problem: Time zone Vietnam 's failed: GMT: 0:00, the right Vietnam time zone 's GMT: +7:00
    I hope Nokia 'll fix this problem in this Firmware and Next Firmwares
    Thanks!

    Bạn sử dụng hàng xách tay ? Mình cũng có 1 chiếc E5 chính hãng, không có lỗi giống bạn.

  • L2TP VPN Error: "MPPE required but peer negotiation failed"

    Clean Leopard Server install. Fairly clean Leopard client, too. Tried to setup an L2TP VPN service, and connect to it from the client machine, and I get this in the client's log:
    11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] IPSec connection established
    11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] L2TP connection established.
    11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] Connect: ppp0 <--> socket[34:18]
    11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] MPPE required but peer negotiation failed
    11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] Connection terminated.
    As far as I can tell from searching the web, MPPE should not even be involved (but I really don't know the protocol). If I setup a PPTP VPN on the same pair of machines all is well.
    I really think this is a bug in either Leopard or Leopard Server. Anyone else bumping into this wall?
    regards,
    Bill.

    I have the exact same problem. Hopefully Apple will fix this soon. I'm trying to connect to a Linux Box with OpenSwan and L2tpd.
    My Logs:
    Leopard:
    Dec 2 14:43:44 MRiedel-PB-G4 pppd[18603]: L2TP connecting to server XXXXXXXX...
    Dec 2 14:43:47 MRiedel-PB-G4 pppd[18603]: IPSec connection started
    Dec 2 14:43:48 MRiedel-PB-G4 pppd[18603]: IPSec connection established
    Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: L2TP connection established.
    Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: Connect: ppp0 <--> socket[34:18]
    Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: MPPE required but peer negotiation failed
    Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: Connection terminated.
    Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnecting...
    Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnected
    And on the Linux Box:
    Dec 2 23:43:47 bt-server pluto[2941]: "L2TP-PSK"[9] 63.231.xxx.xxx #16: STATEQUICKR2: IPsec SA established {ESP=>0x09c22235 <0x8522bdef xfrm=AES128-HMACSHA1 NATD=63.231.52.188:4500 DPD=none}
    Dec 2 23:43:49 bt-server l2tpd[6376]: control_finish: Peer requested tunnel 8 twice, ignoring second one.
    Dec 2 23:43:49 bt-server l2tpd[6376]: Connection established to 63.231.xxx.xxx, 56177. Local: 51805, Remote: 8. LNS session is 'default'
    Dec 2 23:43:49 bt-server l2tpd[6376]: Call established with 63.231.xxx.xxx, Local: 56732, Remote: 18603, Serial: 1
    Dec 2 23:43:49 bt-server pppd[7541]: pppd 2.4.3 started by root, uid 0
    Dec 2 23:43:49 bt-server pppd[7541]: using channel 2105
    Dec 2 23:43:49 bt-server pppd[7541]: Using interface ppp2
    Dec 2 23:43:49 bt-server pppd[7541]: Connect: ppp2 <--> /dev/pts/4
    Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
    Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
    Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
    Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
    Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP EchoReq id=0x0 magic=0x6d3895f7]
    Dec 2 23:43:49 bt-server pppd[7541]: sent [CHAP Challenge id=0x12 <4885f2c708e0dbd85a3cf7cf60ed6b24>, name = "IPsecVPN"]
    Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoReq id=0x0 magic=0x4d928d7a]
    Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP EchoRep id=0x0 magic=0x6d3895f7]
    Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoRep id=0x0 magic=0x4d928d7a]
    Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CHAP Response id=0x12 <c574d7703411572a98de35e99f3d81ad00000000000000000b4906c55495f2727310659600c5c1 405145b06079ad9fbe00>, name = "xxx"]
    Dec 2 23:43:50 bt-server pppd[7541]: sent [CHAP Success id=0x12 "S=2C78FC23BCE0D753988BB8A6AA9EB3EB22326318 M=Access granted"]
    Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
    Dec 2 23:43:50 bt-server pppd[7541]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.184.2>]
    Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
    Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfRej id=0x1 <mppe +H -M +S +L -D -C>]
    Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]
    Dec 2 23:43:50 bt-server pppd[7541]: LCP terminated by peer (MPPE required but peer negotiation failed)
    Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP TermAck id=0x2]
    Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
    Dec 2 23:43:50 bt-server pppd[7541]: Discarded non-LCP packet when LCP not open
    Dec 2 23:43:50 bt-server l2tpd[6376]: control_finish: Connection closed to 63.231.xxx.xxx, serial 1 ()
    Dec 2 23:43:50 bt-server pppd[7541]: Terminating on signal 15
    Dec 2 23:43:50 bt-server pppd[7541]: Modem hangup
    Dec 2 23:43:50 bt-server pppd[7541]: Connection terminated.
    Dec 2 23:43:50 bt-server pppd[7541]: Connect time 0.1 minutes.
    Dec 2 23:43:50 bt-server pppd[7541]: Sent 41 bytes, received 10 bytes.
    Dec 2 23:43:50 bt-server pppd[7541]: Exit.
    Even if I force MPPE on the linux side, I get the same error. Please fix!
    Regards

  • Exadata Discovery - Failed to launch process: Algorithm negotiation fail

    Trying to discover an Exadata box. We’ve installed the latest EM (BP1) and deployed the agents successfully to the compute nodes. When we come to use the discovery wizard, it fails on the monitoring credential page. We input the cell root passwords and click test connection which fails with the error messages:
    sxa1cel01 - Failed to launch process: Algorithm negotiation fail
    sxa1cel02 - Failed to launch process: Algorithm negotiation fail
    sxa1cel03 - Failed to launch process: Algorithm negotiation fail
    Not much info available about this. Looking at the agent log just shows the same error message coupled with a Java error and not much else. Googling around, it seems it might be something to do with JSch.
    Any help or pointers would be greatly appreciated.

    The root cause of this issue are additional security changes made in the latest Exadata release. Enterprise Manager Cloud Control 12c will be moving to this standard as well in an upcoming patchset.
    Workaround to the problem:
    The current workaround for existing installations is to add the ciphers listed in the step below back to the sshd_config files on all cells and compute nodes if the customer is running Exadata Storage Server version 11.2.3.1.0. The work around steps for this situation are listed below. For each storage cell and compute node, edit the /etc/ssh/sshd_config file as listed below:
    1) ssh to the cell node as root
    2) cd /etc/ssh/
    3) back up sshd_config
    4) add aes128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,blowfish-cbc to the Cipher line in sshd_config
    5) Restart the ssh daemon (as the root user):
    # service sshd restart
    Edited by: user484103 on Apr 23, 2012 11:45 PM
    Edited by: user484103 on Apr 23, 2012 11:50 PM

  • Dual-Stack LNS - ppp negotiation fails if no ipv6 prefix assigned by Radius

    Hello,
    We have an LNS (asr1k), dual-stack CPE and Radius server.
    Everything works fine if both ipv4 and ipv6 prefix is assigned to CPE by Radius
    If we set Radius server not to assign v6 prefix, we expect to build up an ipv4-only session over ppp.
    This is not what happens. PPP negotiation fails with the following debug lines:
    IPv6 DHCP_AAA: No authorization data from SSS
    Vi2.2364 PPP DISC: Non-PPP hang up
    some config parts of LNS:
    no ipv6 source-route
    ipv6 unicast-routing
    ipv6 dhcp binding track ppp
    ipv6 dhcp pool IPv6_DHCP_POOL
    ipv6 dhcp pool POOL_DHCP_PD
    ipv6 multicast-routing
    ipv6 multicast rpf use-bgp
    interface Virtual-Template99
     mtu 1460
     ip unnumbered Loopback0
     ip tcp adjust-mss 1420
     no logging event link-status
     ipv6 enable
     no ipv6 nd prefix framed-ipv6-prefix
     no ipv6 nd ra suppress
     ipv6 dhcp server POOL_DHCP_PD allow-hint
     peer default ip address pool adslpool_1 adslpool_2
     ppp max-configure 3
     ppp authentication pap AAA_AUTHEN_PPP_noc3x
     ppp authorization AAA_AUTHOR_NET_noc3x
     ppp accounting AAA_ACCT_NET_noc3x
     ppp ipcp address required
     ppp ipcp address accept
     ppp ipcp no-renegotiation send-termreq
     ppp link reorders
     ppp timeout retry 5
     ppp timeout ncp 30
     ppp timeout authentication 30
    end
    Can anyone help?
    Regards,
    Antal

    Have opend a case with cisco. The solution for me is to put
    no ipv6 dhcp ppp terminate
    in to the global config.
    Hope that helps anyone who has the same problem.

  • Time Zone data downoad failed for 7841 phones

    Hi All ,
    we have 100 above 7841 phones facing same issue , time changes automatically . when i check the status message it is showing as "time zone data download failed "
    CUCM - 8.6.2
    Firmware -  sip78xx.10-1-1-9

    Hi Reddy,
    have a look into this discussion
    https://supportforums.cisco.com/discussion/12187361/cisco-7821-phones
    regds,
    aman

  • Negotiation failed: SSL error: parse tlsext

    I'm hosting a subversion repository on an Arch box.  Using apache and SSL to access it.
    After a recent upgrade to my system, I'm finding that large commits to the repository fail, with a message like:
    negotiation failed: SSL error: parse tlsext (https://example.com)
    To be clear, I'm able to access the repository when doing say an svn update.  However the large commit I'm trying to make now fails.  Any help fixing this error is appreciated!
    Thanks,
    -Dave

    I took a stab at rebuilding openssl myself, with enable-tlsext, following the excellent directions on the arch wiki: http://wiki.archlinux.org/index.php/ABS … ild_System
    I was able to build, but installing totally screwed my system.  I keep seeing this error:
    error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory
    I get this error when running pacman, for instance, so I can't use
    pacman -U /var/cache/pacman/pkg/openssl...
    to revert the state of my system.
    So now what can I do???

  • Cluvfy : Time zone consistency check failed

    Hello All,
    Env: 112.0.3 on Linux 5.8
    Single node RAC
    I 'am trying to add another node to my cluster.
    When i run the cluvfy it shows
    cluvfy stage -pre nodeadd -n a0002 -fixup -verbose
    o/p trimmed
    Oracle Cluster Voting Disk configuration check passed
    Check: Time zone consistency
    Result: Time zone consistency check failed
    The `date` on both the servers shows UTC as the timezone and they sync
    a0001:oracle(ps1) ~ % ssh a0002 date;date
    Thu Oct  3 06:28:13 UTC 2013
    Thu Oct  3 06:28:13 UTC 2013
    cat /u01/app/11.2.0/grid/crs/install/s_crsconfig_a0001_env.txt
    TZ=UTC
    NLS_LANG=AMERICAN_AMERICA.AL32UTF8
    TNS_ADMIN=
    ORACLE_BASE=
    Where does the script check for this?
    TIA,
    John

    Thx Anar for stepping by..
    rm -rf /tmp/cvutrace
    mkdir /tmp/cvutrace
    export CV_TRACELOC=/tmp/cvutrace
    export SRVM_TRACE=true
    export SRVM_TRACE_LEVEL=1
    <STAGE_AREA>/runcluvfy.sh stage -pre crsinst -n <node1>,<node2> -verbose
    i enabled tracing on cluvfy and found that on Node2's .bash_profile of oracle, i had some interactive session env settings script which required a user input (like, select 1 for ThisDB, select 2 for ThatDB). The cluvfy script internally waited for such input while logging as oracle user to node2 and eventually failed (kind of timeout). I removed that entry and it did good.
    and found that on Node2's .bash_profile of oracle, i had some interactive session env settings script which required a user input (like, select 1 for ThisDB, select 2 for ThatDB). The cluvfy script internally waited for such input while logging as oracle user to node2 and eventually failed (kind of timeout). I removed that entry and it did good.

Maybe you are looking for

  • Inserting images in Excel

    In PL / Sql generated report file, format excel: <Row> <Cell> -</CELL> <Cell> -</CELL> </ROW> How can insert in this file picture? Is it possible in this file to put binary code, and that when opening a file Excel showed the picture. Thanks Edited by

  • Date in MDX Script

    Hi, I am trying to write in mdx editor the following query which will give me previous month date. SELECT +{(DateRoll(today(),DP_Month,-1),jan)} on COLUMNS+ +from [sample.basic]+ But it gives syntax error. I checked DateRoll function and Today() func

  • Help - i've just got an ipod won't work thru stereo/tv with av cable

    ok - so i've bought the ipod and av cable. have funky new tv with red,white yellow audio/video input. nothing happening. playing music on ipod(checked using earphones) but nothing coming thru amp. HELP ... it's for husband's birthday who is computer/

  • Standalone:Problem in receiving notifications for a user defined in WF_USER

    HELLO Everybody, I installed an standalone version of Workflow (Server: 2.6.2 with Oracle 9i Database) with the users imported (in WF_USERS view) from DBA_USERS. I have the workflow's schema objects created for user account (named OWF_MGR) and I have

  • Does QTP support chrome 25.0 and firefox 19.0 ??

    Hi My requirement is to support chrome 25.0 and firefox 19.0 using QTP 11.5. Is it possible? if yes, explain how. It's really urgent. plz help ASAP....