EXPWYC Traversal Zone TLS negotiation Failed
Enter the Fully Qualified Domain Name (FQDN) of the traversal server. If you are using secure traversal, then this value must be either the Common Name or one of the Subject Alternate Names on the traversal server's certificate. IP addresses or hostnames are therefore not recommended.
If the traversal server is a cluster of Expressway-Es, this is the FQDN of one of the peers in that cluster.
Range: 0 to 255 characters
Hello,
I have an issue with EPWYC Traversal Zone once I configured it and saved I got the following issue:
SIP: Failed to connect to (IP<x.x.x.x>):7001 : Connect failed
what could be the reason for this. where to look ?
Thanks all
You can try the following.
1 First try and confirm network reachability to the Lan facing ethernet interface of the Exp-e. You can use the Ping, traceroute tools also try pinging the hostname of the expressway-e(This should help you check you have the correct DNS records) it should resolve to the internal IP.
2 You should look in the 1st DMZ , the Cisco Expressway guide provides ports that are required to be open or mapped(http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Basic-Configuration-Deployment-Guide-X8-1.pdf). Kindly make sure yours are.
3 If the above are fine you should make sure you have configured the Traversal Zone on the EXP-E to also use the same port as you did on the EXP-C.
4 You can look at status - logs - network logs to see network data.
Similar Messages
-
VCS' certificates for transversal zone / unable to to connect to server TLS negotiation failure
Hi,
I am trying to connect two traversal zones VCSE as a server and VCSC as a client but i am having the next error:
VCSE:
tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="10.1.1.1" Src-port="25234" Dst-ip="10.1.1.10" Dst-port="7001" Detail="tlsv1 alert unknown ca" Protocol="TLS" Level="1" UTCTime="2015-01-28 18:51:09,080"
VCSC:
2015-01-28T14:32:09-04:30tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="192.168.1.2" Src-port="25267" Dst-ip="10.1.1.10" Dst-port="7001" Detail="unable to get local issuer certificate" Protocol="TLS" Common-name="name-vcse.myname.com" Level="1" UTCTime="2015-01-28 19:02:09,081"
I follow the steps in this document: "http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-2/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-2.pdf" and trying with Windows Server Authentication and Client Authentication and with OpenSSL but have the same results.
In my firewall i can telnet the 10.1.1.10 port 7001 and also from a device from the network 192.168.1.0 to 10.1.1.10 port 7001 (not firewall issues i think)
Also i tested the certificate in my VCSC and get the following error:
Invalid: The client certificate is not signed by a CA in the trusted CA list.
Any ideas?
Regards,Anthony,
You're missing the Certificate Authority certificate who signed one of the servers certs. Presumably what is missing is the CA (root) certificate that signed the Expressway-E's cert. Here is a general rule of thumb.
The certificate of the signer of the VCS-C/Expressway-C certificate should be present on the VCS-E/Expressway-E under the Trusted CA section.
The certificate of the signer of the VCS-E/Expressway-E certificate should be present on the VCS-CExpressway-C under the Trusted CA section.
it's not uncommon that you could be dealing with a condition where one of the servers certs was signed by an intermediate. If this is the case you simply just need to follow the chain of the certificates and make sure they are all included within the Trusted CA list on the respective server. The main thing to look at with the certificates are the Common Names of the Subject and Issuer. Below is an example of a fake certificate.
VCS-E/Expressway-E Cert
Issuer: CN=RootCAIntermediate – G5 <-- Signer
Subject: CN=Expressway-E.domain.com
RootCAIntermediate –G5 Certificate
Issuer: CN=RootCAIntermediate Trust <-- Signer
Subject: CN=RootCAIntermediate – G5
RootCAIntermediate Trust
Issuer: CN=RootCA <-- Signer
Subject: CN=RootCAIntermediate Trust
RootCA Certificate
Issuer: CN=RootCA <-- Signer
Subject: CN=RootCA
If you are missing anyone of these, you will get the unknown CA error. When the RootCA (The real root) is uploaded to the VCS/Expressway server it’s Issuer will be RootCA and the Subject will be “Matches Issuer”.
I hope this can help you.
-P -
I'm trying to create a TLS neighbor zone between Exp-C and Jabber Guest. I have my own internal CA signed certs on JG and Exp, but TLS is failing and Exp is throwing this error in the logs: No SSL error available, probably remote disconnect. TCP works fine. I've generated the CSR twice for JG and rebooted twice as well. Not sure what is going on. Thanks, Mike
Ah, needed to read a little further in the JG install guide :) I forgot to upload the CA root cert. I would recommend adding this step to the install guide prior to configuring the neighbor zone on the expressway (or at least a note about it). Then the neighbor zone won't error out.
-
Polycom CX600 The connection was closed before TLS negotiation completed
Hello guys,
I'm trying to login with cx600 at a remote location on a SBA SBA but the log is showing the following message
The connection was closed before TLS negotiation completed .
Did the remote peer accept our certificate ?
scenario :
Offline CA : OfflineIssueCA
Subordinate CA : DomainIssueCA
AD DOMAIN : domain.local
SIP DOMAIN : domainA.com
SIP DOMAIN : domainB.com
Pool: pool01.domain.local
SBA : mysba.domain.local
SBA Certificate :
SN : mysba.domain.local
SAN : sip.domainA.com
SAN : sip.domainB.com
DNS :
sip.domainA.com => ip of mysba.domain.local
_sipinternaltls._tcp.domainA.com => sip.domainA.com
DHCP :
option offer 120 mysba.domain.local
option offer 43 https://pool01.domain.local:443/CertProv/CertProvisioningService.svc
Checking the log LPE I see the following error most often :
ERROR :: :: OUTGOING_TRANSACTION OnRequestConnectionConnectComplete - connection failed error 80ee0065
And the SBA log SIPStack :
The connection was closed before TLS negotiation completed .
Did the remote peer accept our certificate ?
I believe that the phone is not downloading the chain of private certificate :
? = © K € ª Æ DUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 05/28/2014 | 04:50:30.885
C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( DER .
) succeeded hr = 0x0
ROMK € Yi DUCD_LOG_ERROR : ? 28/05/2014 | 04:50:30 Aries : 28/05/2014
| 04:50:30.886 C4000A : 5C02336 CLogOnManager :: ERROR :: HandleCertEvent : CertInstaller gave callback with Error
code = 5
Æ D | K € kHžDUCD_LOG_INFO : ? 28/05/2014 | 04:50:30 Aries :
05/28/2014 | 04:50:30.907 C4000A : 5C02336 :: INFO :: CCertInstaller AddSingleCerttoStore : Adding Single Certificate Successful
= © K € OžDUCD_LOG_INFO : 05/28/2014 | 04:50:30 Aries : 05/28/2014 |
04:50:30.908 C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( . RSP) succeeded
hr = 0x0
ROMK € mSžDUCD_LOG_ERROR : 05/28/2014 | 04:50:30 Aries :
28/05/2014 | 04:50:30.908 C4000A : 5C02336 CLogOnManager :: ERROR :: HandleCertEvent : CertInstaller gave callback with Error code = 5
: O | K € øËžDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 28/05/2014
| 04:50:30.928 C4000A : 5C02336 :: INFO :: CCertInstaller AddSingleCerttoStore : Adding Single Certificate Successful
= © K € ¥ ÒžDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 28/05/2014
| 04:50:30.929 C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( . RSP) succeeded
hr = 0x0
ROMK € ñÖžDUCD_LOG_ERROR : 05/28/2014 | 04:50:30 Aries :
05/28/2014 | 04:50:30.930 C4000A : 5C02336 CLogOnManager :: ERROR :: HandleCertEvent : CertInstaller gave callback with Error code = 5
: O | K € OŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 05/28/2014
| 04:50:30.950 C4000A : 5C02336 :: INFO :: CCertInstaller AddSingleCerttoStore : Adding Single Certificate Successful
= © K € UŸDUCD_LOG_INFO : 05/28/2014 | 04:50:30 Aries : 28/05/2014
| 04:50:30.951 C4000A : 5C02336 :: INFO :: CCertInstaller LdapGetValsfromMesg : AddRootCerttoStore ( . RSP) succeeded hr
= 0x0
rom € ¸ ¶ K tŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30
Aries : 28/05/2014 | 04:50:30.956 C4000A : 5520002 :: INFO :: CLogOnManager OnCertStatusEvent : Received notification from CertInstaller with state
= 0x5
G_ck € ™ zŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30
Aries : 05/28/2014 | 04:50:30.957 C4000A : 5520002 :: INFO :: CCertStateImplementor HandleCertEvents : Received Status event from CertInstaller event from
cert installer
4th K € | ŸDUCD_LOG_INFO : 28/05/2014 | 04:50:30 Aries : 05/28/2014
| 04:50:30.957 C4000A : 5520002 :: INFO :: CLogOnScreen OnCertInstallerStateChange : OnCertInstallerStateChange status = 5
Robson Hasselhoff - Follow me @Robk9eLog in below to connect sip.domainA.com:
�é�K€®ËÃ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.693 5510002:5520002 INFO :: SockMgr: Create New Connection:DestName:(sip.domainA.com)DestPort:(5061)Transport:(2)httpTunnel:(0)TLS RemotePrincipalName:(sip.domainA.com)
� (0¯�K€ãÃ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.696 5510002:5520002 INFO :: CSIPCompressor::Initialize - Compression setting 1, threshold 128000, timeout 5000
�)Ì�K€™óÃ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.699 5510002:5520002 INFO :: CSIPAsyncSocket::Connect 00CCD6A0 connecting(async) window 7003B800 socket:00000F8D DestAddr:10.145.53.115:5061
�¬�K€ºaÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.717 5510002:56A000A ERROR :: SECURE_SOCKET: negotiation failed: 80090327, principal name: [sip.domainA.com]
�Ù�K€!fÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.718 5510002:5520002 ERROR :: CSIPTransportLayerSecurity::OnTlsNegotiationComplete (ccd720) failed with 0x80ee0065. Raising OnConnect with the same error
�p.e—�K€¶hÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.718 5510002:5520002 ERROR :: CSIPClientConnection::OnConnect (80ee0065) this: 00CCD540
�0Ï�K€£jÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.719 5510002:5520002 INFO :: SIP_MSG_PROCESSOR::OnRequestConnectionConnectComplete - Enter this: 00CCC1E0, callid=(null), ErrorCode: 0x80ee0065
�i�K€ýkÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.719 5510002:5520002 ERROR :: Releasing connection and notifying transactions
�t t©�K€RmÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.719 5510002:5520002 ERROR :: SIP_MSG_PROCESSOR::NotifyRequestConnectionConnectComplete - Error: 80ee0065
�ca ¹�K€pˆÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 ERROR :: OUTGOING_TRANSACTION::OnRequestConnectionConnectComplete - connection failed error 80ee0065
�07:~�K€Ö‰Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 INFO :: REGISTER_CONTEXT:State (4) => (5)
�CC—�K€X‹Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 INFO :: REGISTER_CONTEXT(ccc1e0) SetAndNotify Recv(6) at State (5)
�c~�K€¿ŽÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.724 5510002:5520002 INFO :: REGISTER_CONTEXT:State (5) => (6)
�nez�K€ Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.725 5510002:5520002 INFO :: SIP_REGISTER:State (1) => (0)
�72–�K€ª”Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.726 5510002:5520002 INFO :: Function: CUccServiceOperationManager::DisableServManager
� Ž�K€º–Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.726 5510002:5520002 INFO :: Function: CUccServerEndpoint::UpdateEndpointState
� 0“�K€ãšÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.726 5510002:5520002 ERROR :: HRESULT API failed: 80ee0061 = hr. DisableServManager
�O«�K€nœÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.727 5510002:5520002 INFO :: CUccDnsResolverManager::Stop MR-INFO - [00CC7C10] DNS resolver manager stopped
�5y�K€µŸÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.728 5510002:5520002 INFO :: ~Out trxn corr-id (00CCD000)
�= hç�K€Ä¥Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.728 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[133] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
�tç�K€˜§Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.729 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[133] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
�5ç�K€T©Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.729 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[133] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
�Rç�K€«Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.729 5510002:5520002 ERROR :: WriteLogonSessionAssertionTrace: NModel::CEasyUccContext::Get[101] - ASSERTION FAILURE: IUccContext::get_Property() failed!. hr=0x80ee0058
�5¶�K€m¯Ä.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.730 5510002:5520002 ERROR :: NModel::CBaseLogonSession::OnEnable: Logon failed with UCCP status/diag code 0x80ee0065/0
� :K€m·Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.731 5510002:5520002 INFO :: NModel::CManagedCredential::SetResult: Logon success state 0 reported by user id=0 (adjusted=0) on CManagedCredential[SPECIFIC this=00AD1E40, domain=intranet.local,
userName=robson.carvalho]
�et¶�K€ÙºÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.732 5510002:5520002 ERROR :: CServerConfigModel::LoadValue: UCCP object is not received yet. groupIndex=0, hr=80ee0061
�esÈ�K€%½Ä.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.732 5510002:5520002 INFO :: NModel::CLogonServerStatistic::SetResult: CLogonServerStatistic::SetResult sip.domainA.com:5061/3 0x80ee0065
�¼�K€AÀÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.733 5510002:5520002 INFO :: NModel::CLogonServerStatistic::ClearDedicatedServer: CLogonServerStatistic::ClearDedicatedServer
�©�K€ÅÉÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.734 5510002:5520002 INFO :: NModel::CBaseLogonSession::DeactivateRecoveryMode: Recovery mode switched off
�) f|�K€¦ÌÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Uccapi: 05/28/2014|07:28:56.735 5510002:5520002 INFO :: Function: CUccEndpoint::Disable
�©�K€&ÑÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.736 5510002:5520002 INFO :: NModel::CBaseLogonSession::DeactivateRecoveryMode: Recovery mode switched off
�07:ª�K€ËÙÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.737 5510002:5520002 INFO :: CCallManager::OnEvent: CCallManager::OnEvent - Received logon-session event 0.
�=0ñ�K€PÜÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.737 5510002:5520002 INFO :: NModel::CComponentLifecycleManager::NotifyComponentStateChanged: CLM received state change event of component 'LogonSession', reporting state STOPPED
�jecÎ�K€dÞÄ.UCD_LOG_ERROR: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.738 5510002:5520002 ERROR :: NModel::CComponentDetails::SetStatusInfo: Component LogonSession reports error code 0x80ee0065 (no auto-recovery)
�:S2K€æñÄ.UCD_LOG_INFO: 05/28/2014|07:28:56 Aries: 05/28/2014|07:28:56.739 5510002:5520002 INFO :: NModel::CBaseLogonSession::OnEnable:
Received server response:
status/diag code=0x80ee0065/0
clientVersionCheckResult=0
upgradeUrl=
authWebServiceBaseUrl=
currentAuthMode=0
supportedAuthModes=0
isTlsDskSupported=0
Reporting credential success 80ee0065
Reporting server success 80ee0065
updatedServerName=sip.domainA.com:5061
updatedTransportMode=3
isClientVersionCheckError=0
isServerVersionCheckError=0
isConnectionError=1
isRootCertError=0
isAuthError=0
isTlsDskError=0
isKerberosError=1
isUserCredError=0
isProxyCredError=0
isErrorWithCache=0
isNtlmMismatch=0
isServerCertInvalid=1
shouldResetAllowedAuthModes=0
current allowedAuthModes=12
new allowedAuthModes=0
No further alternate server available or SVF/CVF error!
autoRetryByErrorCode=1
withRescheduleHint=0
withAutoRetrials=0
Login failed with permanent error or no auto-retrials
Recovery mode switched off
newState=LOGGED_OUT
Robson Hasselhoff - Follow me @Robk9e -
Hi,
we are setting a lab environment on expressway C and E and it is a single nic NAT scenario. We have configured Traversal zone client and server it was fine and in active state. but while configuring a unified communication traversal zone it is getting failed. Any help.
Regards
Sakthivel CHi,
Would need a bit more information. What is the error displayed on the Client side under status for the zone?
What errors are shown in the event log of the Expressway E and the Expressway C?
-Jonathan -
Hello
I made a program using WINHTTP . I had a question blow...
"I tried to wireshark capture network traffic when connecting to that SERVER using 'IE browser'. First
client_hello message does not include RC4 with TLS ver1.0. But next client_hello message include RC4 with TLS ver1.0. Because that SERVER only supports RC4 cipher in TLS 1.0(no SSL3.0). I think
windows 8.1 automatically modify cipher suite. "
I just had a answer from someone . It is a new function in windows 8.1. It's called "Application protocol
negotiation" in Windows 8.1.
so, I wonder about ... Is it possible to programming disable negotiation function? It means .. I want first
client_hello message has RC4 cipher. Because when i WINHTTP function, client_hello message does not include RC4 cipher in TLS 1.0.
Can i include RC4 cipher in TLS 1.0 using WINHTTP function? or can i programming TLS negotiation using
WINHTTP? is it possible? or not?
please hellp me.Hello .
Thank you for your answer. It was helpful. But i have some question.
I added blow source code . But it didn't work. i mean .. TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5 cipher
added to the top of the prioritized list. But Client_Hello message didn't include that cipher.
Only Windows 8.1(testpc) does not work.
I don't know why...
SECURITY_STATUS Status = ERROR_SUCCESS;
LPWSTR wszCipher = (L"TLS_RSA_WITH_RC4_128_SHA");
LPWSTR wszCipher2 = (L"TLS_RSA_WITH_RC4_128_MD5");
Status = BCryptAddContextFunction(
CRYPT_LOCAL,
L"SSL",
NCRYPT_SCHANNEL_INTERFACE,
wszCipher,
CRYPT_PRIORITY_TOP);
Status = BCryptAddContextFunction(
CRYPT_LOCAL,
L"SSL",
NCRYPT_SCHANNEL_INTERFACE,
wszCipher2,
CRYPT_PRIORITY_TOP); -
Wireless ISE - 12508 EAP-TLS handshake failed
Hi guys,
I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146:,
Setup:
- Single standalone ISE 3355 appliance
- Two tier MS enterprise PKI (outside of my direct control)
- WLC 5508
- Windows 7 laptop\
- The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
- The test laptop has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
Now, I'm pretty new to certs so I'm sure I'm missing something simple here. One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that. Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
This is what TAC came back with, but none of the workarounds helped
Symptom:
========
EAP-TLS auth handshake failing with X509 decrypt error. The error presented to the ISE administrator is "12508: EAP-TLS handshake failed"
Conditions:
=========
EAP-TLS certificate based authentications ISE 1.1.2.145
Workaround:
===========
1) Reboot or restart ISE application service 2) Recreate CAP (Certificate Authentication Profile) 3) Toggle between ID sequence and single ID sourceHi Amjad,
Thanks for the response. I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year). On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
The certificate format has not been modified in any way. The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
Cheers,
Owen -
Eap tls authentication fails if bluetooth device connected
Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
Has anyone come across this elsewhere?
ThanksI have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.
-
Nokia E5-00: Time zone Vietnam has failed in Firmw...
I 'm using Nokia E5-00 phone (RM-632) with Firmware 042.007. This firmware has a problem: Time zone Vietnam 's failed: GMT: 0:00, the right Vietnam time zone 's GMT: +7:00
I hope Nokia 'll fix this problem in this Firmware and Next Firmwares
Thanks!Bạn sử dụng hàng xách tay ? Mình cũng có 1 chiếc E5 chính hãng, không có lỗi giống bạn.
-
L2TP VPN Error: "MPPE required but peer negotiation failed"
Clean Leopard Server install. Fairly clean Leopard client, too. Tried to setup an L2TP VPN service, and connect to it from the client machine, and I get this in the client's log:
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] IPSec connection established
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] L2TP connection established.
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] Connect: ppp0 <--> socket[34:18]
11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] MPPE required but peer negotiation failed
11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] Connection terminated.
As far as I can tell from searching the web, MPPE should not even be involved (but I really don't know the protocol). If I setup a PPTP VPN on the same pair of machines all is well.
I really think this is a bug in either Leopard or Leopard Server. Anyone else bumping into this wall?
regards,
Bill.I have the exact same problem. Hopefully Apple will fix this soon. I'm trying to connect to a Linux Box with OpenSwan and L2tpd.
My Logs:
Leopard:
Dec 2 14:43:44 MRiedel-PB-G4 pppd[18603]: L2TP connecting to server XXXXXXXX...
Dec 2 14:43:47 MRiedel-PB-G4 pppd[18603]: IPSec connection started
Dec 2 14:43:48 MRiedel-PB-G4 pppd[18603]: IPSec connection established
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: L2TP connection established.
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: Connect: ppp0 <--> socket[34:18]
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: MPPE required but peer negotiation failed
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: Connection terminated.
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnecting...
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnected
And on the Linux Box:
Dec 2 23:43:47 bt-server pluto[2941]: "L2TP-PSK"[9] 63.231.xxx.xxx #16: STATEQUICKR2: IPsec SA established {ESP=>0x09c22235 <0x8522bdef xfrm=AES128-HMACSHA1 NATD=63.231.52.188:4500 DPD=none}
Dec 2 23:43:49 bt-server l2tpd[6376]: control_finish: Peer requested tunnel 8 twice, ignoring second one.
Dec 2 23:43:49 bt-server l2tpd[6376]: Connection established to 63.231.xxx.xxx, 56177. Local: 51805, Remote: 8. LNS session is 'default'
Dec 2 23:43:49 bt-server l2tpd[6376]: Call established with 63.231.xxx.xxx, Local: 56732, Remote: 18603, Serial: 1
Dec 2 23:43:49 bt-server pppd[7541]: pppd 2.4.3 started by root, uid 0
Dec 2 23:43:49 bt-server pppd[7541]: using channel 2105
Dec 2 23:43:49 bt-server pppd[7541]: Using interface ppp2
Dec 2 23:43:49 bt-server pppd[7541]: Connect: ppp2 <--> /dev/pts/4
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP EchoReq id=0x0 magic=0x6d3895f7]
Dec 2 23:43:49 bt-server pppd[7541]: sent [CHAP Challenge id=0x12 <4885f2c708e0dbd85a3cf7cf60ed6b24>, name = "IPsecVPN"]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoReq id=0x0 magic=0x4d928d7a]
Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP EchoRep id=0x0 magic=0x6d3895f7]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoRep id=0x0 magic=0x4d928d7a]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CHAP Response id=0x12 <c574d7703411572a98de35e99f3d81ad00000000000000000b4906c55495f2727310659600c5c1 405145b06079ad9fbe00>, name = "xxx"]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CHAP Success id=0x12 "S=2C78FC23BCE0D753988BB8A6AA9EB3EB22326318 M=Access granted"]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Dec 2 23:43:50 bt-server pppd[7541]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.184.2>]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfRej id=0x1 <mppe +H -M +S +L -D -C>]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]
Dec 2 23:43:50 bt-server pppd[7541]: LCP terminated by peer (MPPE required but peer negotiation failed)
Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP TermAck id=0x2]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Dec 2 23:43:50 bt-server pppd[7541]: Discarded non-LCP packet when LCP not open
Dec 2 23:43:50 bt-server l2tpd[6376]: control_finish: Connection closed to 63.231.xxx.xxx, serial 1 ()
Dec 2 23:43:50 bt-server pppd[7541]: Terminating on signal 15
Dec 2 23:43:50 bt-server pppd[7541]: Modem hangup
Dec 2 23:43:50 bt-server pppd[7541]: Connection terminated.
Dec 2 23:43:50 bt-server pppd[7541]: Connect time 0.1 minutes.
Dec 2 23:43:50 bt-server pppd[7541]: Sent 41 bytes, received 10 bytes.
Dec 2 23:43:50 bt-server pppd[7541]: Exit.
Even if I force MPPE on the linux side, I get the same error. Please fix!
Regards -
Exadata Discovery - Failed to launch process: Algorithm negotiation fail
Trying to discover an Exadata box. We’ve installed the latest EM (BP1) and deployed the agents successfully to the compute nodes. When we come to use the discovery wizard, it fails on the monitoring credential page. We input the cell root passwords and click test connection which fails with the error messages:
sxa1cel01 - Failed to launch process: Algorithm negotiation fail
sxa1cel02 - Failed to launch process: Algorithm negotiation fail
sxa1cel03 - Failed to launch process: Algorithm negotiation fail
Not much info available about this. Looking at the agent log just shows the same error message coupled with a Java error and not much else. Googling around, it seems it might be something to do with JSch.
Any help or pointers would be greatly appreciated.The root cause of this issue are additional security changes made in the latest Exadata release. Enterprise Manager Cloud Control 12c will be moving to this standard as well in an upcoming patchset.
Workaround to the problem:
The current workaround for existing installations is to add the ciphers listed in the step below back to the sshd_config files on all cells and compute nodes if the customer is running Exadata Storage Server version 11.2.3.1.0. The work around steps for this situation are listed below. For each storage cell and compute node, edit the /etc/ssh/sshd_config file as listed below:
1) ssh to the cell node as root
2) cd /etc/ssh/
3) back up sshd_config
4) add aes128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,blowfish-cbc to the Cipher line in sshd_config
5) Restart the ssh daemon (as the root user):
# service sshd restart
Edited by: user484103 on Apr 23, 2012 11:45 PM
Edited by: user484103 on Apr 23, 2012 11:50 PM -
Dual-Stack LNS - ppp negotiation fails if no ipv6 prefix assigned by Radius
Hello,
We have an LNS (asr1k), dual-stack CPE and Radius server.
Everything works fine if both ipv4 and ipv6 prefix is assigned to CPE by Radius
If we set Radius server not to assign v6 prefix, we expect to build up an ipv4-only session over ppp.
This is not what happens. PPP negotiation fails with the following debug lines:
IPv6 DHCP_AAA: No authorization data from SSS
Vi2.2364 PPP DISC: Non-PPP hang up
some config parts of LNS:
no ipv6 source-route
ipv6 unicast-routing
ipv6 dhcp binding track ppp
ipv6 dhcp pool IPv6_DHCP_POOL
ipv6 dhcp pool POOL_DHCP_PD
ipv6 multicast-routing
ipv6 multicast rpf use-bgp
interface Virtual-Template99
mtu 1460
ip unnumbered Loopback0
ip tcp adjust-mss 1420
no logging event link-status
ipv6 enable
no ipv6 nd prefix framed-ipv6-prefix
no ipv6 nd ra suppress
ipv6 dhcp server POOL_DHCP_PD allow-hint
peer default ip address pool adslpool_1 adslpool_2
ppp max-configure 3
ppp authentication pap AAA_AUTHEN_PPP_noc3x
ppp authorization AAA_AUTHOR_NET_noc3x
ppp accounting AAA_ACCT_NET_noc3x
ppp ipcp address required
ppp ipcp address accept
ppp ipcp no-renegotiation send-termreq
ppp link reorders
ppp timeout retry 5
ppp timeout ncp 30
ppp timeout authentication 30
end
Can anyone help?
Regards,
AntalHave opend a case with cisco. The solution for me is to put
no ipv6 dhcp ppp terminate
in to the global config.
Hope that helps anyone who has the same problem. -
Time Zone data downoad failed for 7841 phones
Hi All ,
we have 100 above 7841 phones facing same issue , time changes automatically . when i check the status message it is showing as "time zone data download failed "
CUCM - 8.6.2
Firmware - sip78xx.10-1-1-9Hi Reddy,
have a look into this discussion
https://supportforums.cisco.com/discussion/12187361/cisco-7821-phones
regds,
aman -
Negotiation failed: SSL error: parse tlsext
I'm hosting a subversion repository on an Arch box. Using apache and SSL to access it.
After a recent upgrade to my system, I'm finding that large commits to the repository fail, with a message like:
negotiation failed: SSL error: parse tlsext (https://example.com)
To be clear, I'm able to access the repository when doing say an svn update. However the large commit I'm trying to make now fails. Any help fixing this error is appreciated!
Thanks,
-DaveI took a stab at rebuilding openssl myself, with enable-tlsext, following the excellent directions on the arch wiki: http://wiki.archlinux.org/index.php/ABS … ild_System
I was able to build, but installing totally screwed my system. I keep seeing this error:
error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory
I get this error when running pacman, for instance, so I can't use
pacman -U /var/cache/pacman/pkg/openssl...
to revert the state of my system.
So now what can I do??? -
Cluvfy : Time zone consistency check failed
Hello All,
Env: 112.0.3 on Linux 5.8
Single node RAC
I 'am trying to add another node to my cluster.
When i run the cluvfy it shows
cluvfy stage -pre nodeadd -n a0002 -fixup -verbose
o/p trimmed
Oracle Cluster Voting Disk configuration check passed
Check: Time zone consistency
Result: Time zone consistency check failed
The `date` on both the servers shows UTC as the timezone and they sync
a0001:oracle(ps1) ~ % ssh a0002 date;date
Thu Oct 3 06:28:13 UTC 2013
Thu Oct 3 06:28:13 UTC 2013
cat /u01/app/11.2.0/grid/crs/install/s_crsconfig_a0001_env.txt
TZ=UTC
NLS_LANG=AMERICAN_AMERICA.AL32UTF8
TNS_ADMIN=
ORACLE_BASE=
Where does the script check for this?
TIA,
JohnThx Anar for stepping by..
rm -rf /tmp/cvutrace
mkdir /tmp/cvutrace
export CV_TRACELOC=/tmp/cvutrace
export SRVM_TRACE=true
export SRVM_TRACE_LEVEL=1
<STAGE_AREA>/runcluvfy.sh stage -pre crsinst -n <node1>,<node2> -verbose
i enabled tracing on cluvfy and found that on Node2's .bash_profile of oracle, i had some interactive session env settings script which required a user input (like, select 1 for ThisDB, select 2 for ThatDB). The cluvfy script internally waited for such input while logging as oracle user to node2 and eventually failed (kind of timeout). I removed that entry and it did good.
and found that on Node2's .bash_profile of oracle, i had some interactive session env settings script which required a user input (like, select 1 for ThisDB, select 2 for ThatDB). The cluvfy script internally waited for such input while logging as oracle user to node2 and eventually failed (kind of timeout). I removed that entry and it did good.
Maybe you are looking for
-
In PL / Sql generated report file, format excel: <Row> <Cell> -</CELL> <Cell> -</CELL> </ROW> How can insert in this file picture? Is it possible in this file to put binary code, and that when opening a file Excel showed the picture. Thanks Edited by
-
Hi, I am trying to write in mdx editor the following query which will give me previous month date. SELECT +{(DateRoll(today(),DP_Month,-1),jan)} on COLUMNS+ +from [sample.basic]+ But it gives syntax error. I checked DateRoll function and Today() func
-
Help - i've just got an ipod won't work thru stereo/tv with av cable
ok - so i've bought the ipod and av cable. have funky new tv with red,white yellow audio/video input. nothing happening. playing music on ipod(checked using earphones) but nothing coming thru amp. HELP ... it's for husband's birthday who is computer/
-
Standalone:Problem in receiving notifications for a user defined in WF_USER
HELLO Everybody, I installed an standalone version of Workflow (Server: 2.6.2 with Oracle 9i Database) with the users imported (in WF_USERS view) from DBA_USERS. I have the workflow's schema objects created for user account (named OWF_MGR) and I have
-
Does QTP support chrome 25.0 and firefox 19.0 ??
Hi My requirement is to support chrome 25.0 and firefox 19.0 using QTP 11.5. Is it possible? if yes, explain how. It's really urgent. plz help ASAP....