VPN Client Cert Chain Issues
I am attempting to setup a VPN connection on a new computer. This connection currently works fine on another machine. I have installed the Root Cert chain and my personal cert as before and it fails to connect. I have included my log file below. The cert shows as valid so I am unsure what I have done wrong. I have done this for other machines and it has worked fine. Any help would be appreciated!
Thank you
Karl
Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
109 10:24:39.791 07/04/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
110 10:24:39.791 07/04/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
111 10:24:39.791 07/04/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
112 10:24:39.791 07/04/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
113 10:24:39.791 07/04/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
114 10:24:39.791 07/04/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
115 10:24:39.870 07/04/08 Sev=Info/4 CERT/0x63600015
Cert (cn=XXXXXXXXXXXXXX,ou=CSADMIN,dc=secure,dc=XXXXXXXXXXXX,dc=com) verification succeeded.
116 10:24:40.901 07/04/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
117 10:24:40.901 07/04/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
118 10:24:41.135 07/04/08 Sev=Info/4 CERT/0x6360001B
No smart card readers with cards inserted found.
119 10:24:41.432 07/04/08 Sev=Warning/2 CERT/0xE360003E
Cert chain missing or intermediate CA signature failed - Cert verification failed.
120 10:24:41.432 07/04/08 Sev=Warning/2 IKE/0xE3000097
Unable to validate peer certificate, Common Name co-sec-vpn01.ou=secure.ou=XXXXXXXXXXXX.o=com., Issuer cn=CPI,dc=secure,dc=XXXXXXXXXXX,dc=com, (CertCfg:241).
121 10:24:41.432 07/04/08 Sev=Warning/2 IKE/0xE300009B
Failed to process MM Msg 6 (NavigatorMM:570)
122 10:24:41.432 07/04/08 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2237)
VPN connection was not established because of an unrecognized reason. Please check the logs for details. Better solution is Install an Identity Cert that is not chained.
Similar Messages
-
Oracle HTTP Server, client certificate chain
I use Oracle (Apache) HTTP Server, installed from Oracle SOA Suit distrib.
There're 2 types of ssl client cert chains that I use: client-issue-root, client-root.
My ssl works fine, unless I should config mod_ossl to accept only user certificates signed by certificate issuer (not root).
I add SSLRequire directive:
SSLOptions StdEnvVars ExportCertData
SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == file("/path/to/issue.cer"))
but this doesn't work (condition expression always turn in false), and
SSLOptions StdEnvVars ExportCertData
SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == "")
condition always turn in true.
So, SSL_CLIENT_CERT_CHAIN_0 is ALWAYS EMPTY.
I've tried to use different versions of ApacheModuleOSSL.dll (build in 09/19/2006 version 10.1.3.1, 06/12/2007 version 10.1.3.3), result is the same.
I've found something about mod_ssl (not mod_ossl) in "Technologies for Information Environment Security: TIES project report" (http://edina.ac.uk/projects/ties/ties_23-9.pdf):
"NOTE: This is the second, and more significant, problem we encountered in this area of mod_ssl: the first caused all the
SSL_CLIENT_CERT_CHAIN_n environmental variables to be empty. We traced this bug back to a literal +17 offset into a
character string that should have been +18, but by the time we had done so, a fixed version was available."
Is there the same problem in mod_ossl?
Does anybody have any ideas?Once again)
http://www.mail-archive.com/[email protected]/msg11705.html
I've got a question for Oracle developers: is this the same problem in OHS and OHS2 mod_ossl?
And if yes, when we can wait the patch?
Thanks! -
IPad IPSEC Cisco client - Additional route issue
Hi,
I am unsure if this problem has come about in recent iOS releases, or just something thats only become aparent now because someone has tried to use. I've never had any complaints prior to the last month or so.
When connecting to a VPN configuration on a Cisco router (which previously didnt work but has for about a year I guess), the iPad recieves additional routes just fine, as it should, but does not seem to work with them.
For example I have 2 networks
192.168.200.0/24
10.0.10.0/24
In my ACLs on the router I add both networks, and I have confirmed with an app on my ipad that it gets both routes. They have the exact same flags, mtu, and gateway.I can get to the 192.168.200.0/24 network, but not the 10.0.10.0/24 network, even though my network tools software says the correct route is in use. Its almost as if it is not encrypted
If i reverse the ACLs order, so i have the route to the 10.0.10.0/24 network first, then that network will work, and the 192.168.200.0/24 network will NOT, despite the route tables looking EXACTLY the same as the first instance.
If I connect via a PC cisco client, works fine. All routes work.
I've had reports (that I have yet to confirm as I do not have a Mac) that the built in VPN client in MacOS has the same issue, but the Cisco supplied VPN client has no issue.
It seems like its an issue with the apple OS software, but am open to suggestion - Anyone got any ideas?
LeighI know you don't have an ASA, but I just want to be clear about the information you've given so no one is misled. The ASA5500-SSL-25 license is a premium license, and with that one gets:
Robust posture assessment capabilities protect the integrity of the corporate network by restricting VPN access based on an endpoint's security posture. Prior to establishing connectivity, a system may be validated for compliance with various antivirus, personal firewall, or antispyware products, and may undergo additional system checks. An advanced endpoint assessment option is available to automate the process of remediating out-of-compliance endpoint security applications.
If one didn't want all that then one wouldn't it, and I didn't. I bought an unlimited anyconnect essentials license and mobile option for my 5520 for no more than $250 USD for both, and unlimited on a 5520 means 250 users since that is the max it can handle. On the Cisco ISR G2 routers, they're quite expensive units and I think licensing is higher.
But as far as the main point of discussion here, the real issue is that though IPsec will be around for years to come in site-to-site and dmvpn scenarios, on clients it is another story especially mobile. Apple collaborated with Cisco on the IPsec client for iOS because of the complexity of IPsec clients and that it had to work to drive iOS acceptance. That it took Now that SSL VPN client software has matured, it is only a matter of time before Apple yanks IPsec VPN from iOS altogether, and I wouldn't be surprised if they aren't as speedy about fixing bugs in the iOS built-in client as they once may have been. SSL VPNs are lighter and easier to install on mobile clients and it is not in Apple or Cisco's interest to support IPsec on the client on all platforms indefinitely (Cisco only grudgingly added Win64 support somewhat recently). It isn't perfect, but installing the client is much easier for our users to do, doesn't require a reboot on Windows or pre-10.6 Macs, and it unifies the experience across all platforms. I'm not even one to jump on the "latest thing" bandwagon normally, but even at the higher ISR router cost to get SSL VPN I'd have done it just from a user support perspective alone. If you can eliminate client support costs then there is a cost savings to me and my users that I factor in. -
Strange issue with 3.6.3 VPN Client and IOS firewall
I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
checkOk..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets." -
VPN Client and Windows 7 Issue
Using VPN Client, V5.0.07.0440 a Dell Vostro W7 Professional system, 64 bit. The client installs and runs the same way it has on at least 20 other systems without issue. When I try to remote into the network, I get a "can not connect" error attempting to connect to any system or server. I placed a known good laptop using XP on the same internet line, it connects without issue. The remote access (mstsc.exe) verson is 6.1.7601.17514 there is no Admin switch in the shortcut. This is the first time anything like this has happened, numerous W7 32 and 64 bit and XP systems. Any help greatly appreciated.
Thanks
It's like the VPN connects to the network, but the remote access is not using the same connection. I get the same results whether the VPN Client is loaded or not.
Sure could use some help on this.The system that I am trying to connect with is a Dell Vostro desktop, W7 64bit Pro. I am attempting to connect to a Windows 2003 domain thru a PIX 501 firewall. The desktop system uses an onboard Ethernet adaptor connected to the Internet thru Charter. I do not have ready access to the computer as it's my employers home system. The frustrating thing is, I have installed and set this up on at least 30 other systems and all of them worked flawlessly. Of course, this one would be the problem as it belongs to my boss.
Thanks for responding, I plan on picking up the unit so I can devote some real time to fixing it.
Thanks again -
Hi,
I am bit confused about what i am seeing,
a. i used java client to talk to talk to server, got "untrusted server cert chain"
, ressolved the exceptio by adding certificate to cacerts file.
b. tried to connect to server using another weblogic server and not getting "untrusted
server cert chain", even when the certificates are not installed.
i dont know why it is throwning the SSLException in (a) and not in (b).
thanks,
NirmalaStand alone client takes its trusted certificate from the JDK cacerts keystore
by default.
SSL client running on server uses server trust configuration. By default the server
is configured to trust the CAs with certificates in DemoTrust.jks keystore and
the JDK cacerts keystore.
Pavel.
"Nirmala" <[email protected]> wrote:
>
Hi,
I am bit confused about what i am seeing,
a. i used java client to talk to talk to server, got "untrusted server
cert chain"
, ressolved the exceptio by adding certificate to cacerts file.
b. tried to connect to server using another weblogic server and not getting
"untrusted
server cert chain", even when the certificates are not installed.
i dont know why it is throwning the SSLException in (a) and not in (b).
thanks,
Nirmala -
Untrusted server cert chain - MI 7.1 Client PDA
Dear Expert,
I am implementing SSL security in SAP MI 7.1.
The HTTPS service is already enabled (port 443) and I can enter on via browser.
Generate a certificate and signed by the SAP test certificate for 8 weeks.
Export the certificate to the truststore file, using the command:
keytool -import -file MID.cer -keystore truststore -alias MID -storepass access
Copy the truststore file (whit certificate MID) in PDA: \MI\settings.
And also enable the parameters (in configuration.properties ):
com.sap.tc.mobile.sync.http.port=443
com.sap.tc.mobile.sync.protocol=https
com.sap.tc.mobile.sync.http.sslenabled=true
com.sap.tc.mobile.sync.https.hostnameverifying=false
com.sap.tc.mobile.sync.https.truststore=/MI/settings/truststore
But in trying to synchronize the PDA with the DOE get an error: "untrusted server cert chain"
I am using: Client MI 7.1 for PDA SP9
I have reviewed the documents: "How To Configure SSL for SAP NetWeaver Mobile 7.1 Applicable"
Check various forms, without finding a solution ...
some idea of the problem?
Thanks!!Hi,
Follow the below given links to configure SSL
--> Making External Server Certificates Trusted
http://help.sap.com/saphelp_dm40/helpdata/en/0f/8d80f68eace441b3d1ebdc4b
2f2c81/content.htm (The link applies for PDA also)
--> Configure the below given parameters in the default.properties
com.sap.tc.mobile.sync.http.sslenabled
> Default value: True
com.sap.tc.mobile.sync.https.hostnameverifying
> Default value: True
com.sap.tc.mobile.sync.https.truststore
> Location of truststore file containing SSL certificates. If the
given location is not absolute, the system searches for the file in a
path that is relative to the installation directory.
For more details refer Note : 1312866
And follow the below given link :
http://help.sap.com/saphelp_nwmobile71/helpdata/en/06/a7d001e17b421db7e2
dd8279853971/frameset.htm
--> Even after following the above mentioned steps,Do the following :
Create the Trustsore on a PC and then use a Addon to
deploy these files to the PDA along with the SSL Libraries.
Regards,
Suma -
Windows 8.1 pro and vpn client issue
dear support community ,
Am using windows 8.1 pro and cisco vpn client version 5.0.0.7.0410
.my issue is that am able to connect to the VPN succesfully but when connected i cant ping nodes inside the VPN
whereas when i do the same test with a windows 7 and xp PCs , am able to ping and even remote desktop nodes.
someone help please ??funniest thing is , after using my PC for two weeks and doing regular updates , am now able to ping and RDP to nodes
inside the VPN..:-) -
Cisco vpn client issue on windows 8.1 pro
I am using Cisco RV325-k9 router, I am configure "Easy vpn" in this router.
Our some users use Windows 7 pro and others users use Windows 8.1 pro with Cisco vpn client version 5.0.070290.
Issue is VPN client connected but not access remote machine and ping on windows 8.1 pro machines. but Working fine on windows 7 pro.
But When i am using wifi through MTS wifi usb device then working fine.
Please find the attached screenshot of VPN Client Statistics.
Please give me a solution.
Regards
SanjibHi Sanjib,
Cisco VPN clinet is not supported for the windows version 8.1. And also it is EOL announced. Might be the below mentioned work around might help you. Try this.
http://www.vmwareandme.com/2013/12/solved-windows-8-and-windows-81-cisco.html#.U9tCdxCrOxo
Regards
Karthik -
VPN Client Issue after Vista Upgrade
Not sure if this should be posted here, if not please let me know.
My organization has recently implemented Vista via an Upgrade-in-Place Process that takes an imaged system (Windows XP Pro - 32bit) and upgrades the system with a network image of Windows Vista Enterprise. Applications are left installed and herein lies my problem.
I'm using Cisco VPN Client 5.0.04, the client worked fine before the upgrade, after the upgrade, not so well.
While troubleshooting I noted the Cisco Systems VPN Adapter was no longer listed as being installed under Network Adapters in the Windows Device Manager, there was however an adapter, labled 6to4 adapter with an exclamation point. I went through the uninstall process for the Cisco VPN Client, rebooted and reinstalled. When trying to connect, I can use one of two pcf files (both are a back up of one another), the first connection profile goes through the motion of connection, tries to contact the security gateway, and states "Not Connected"
I enabled logging on the connection and tried again. Here's an excerpt from that log:
09:37:18.278 04/21/09 Sev=Warning/2 CERT/0xA3600038
Successfully added Key Usage fields to be matched.
7 09:37:19.792 04/21/09 Sev=Warning/2 CERT/0xA3600038
Successfully added Key Usage fields to be matched.
8 09:37:20.338 04/21/09 Sev=Warning/2 CERT/0xE3600001
Failed to launch application using cert pipe due to error: 0x800b010a.
9 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)
10 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)
11 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)
12 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)
Has anyone seen this behavior after an upgrade from XP to Vista? I'm I going to have to start with a fresh install? I appreciate any suggestions or advice.
Thanks,
JimiI finally figured out this problem and I feel it should at least be shared for another person who runs into this problem.
The problem was resolved by loading my personal certificates (the one that is read by the smart card reader and used to authenticate me on VPN) needed to be added to the personal certificates folder in the Local Machine layer.
I did this by opening up an MMC window --> Adding the certificates snap-in (in windows 7 it distinguishes 3 different layers, so choose the local user and the computer layer) --> and then copying the certificates in the personal folder located under Certificates - Current User into the personal folder located in Local Machine.
The most likely reason this happened to me is that the image I was working with had security settings blocking the certificates to be read at the current user level and not at the local machine level. Therefore, it's a problem with out image and the security policies put in place at the registry level and/or group policies placed in Active Directory. This is more of a workaround than an actual fix to the problem, but at least it pinpoints where the break is happening.
Now I can push the image back to the developers to review the security policies placed in the image. -
WLC 5508 7.0.98.0 has vpn client connection issues
Hi
my guest ssid is set to L2 security none and L3 Web policy and authentication local. clients that need to connect to some vpn server (internet) are reporting disconnection issues with the vpn session but not the wireless network. as soon as they get connected via another wireless internet connection the vpn connection gets stable. that makes me thing is in deed the my wireless network the one causing issues. is there a know issues with the web authentication WLAN and vpn clients? no firewall in the middle.
Exclusionlist.................................... Disabled
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ xxxxxxxxxxxxxxxx
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
--More or (q)uit current module or <ctrl-z> to abort
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
Band Select...................................... Disabled
Load Balancing................................... DisabledThanks Scott,
We have two controllers and all the APs (50) are associated with the primary Controller,what is the best path to follow for the upgrade.
we don't have Field recoversy image installed on our controller, do we have to do the FSU upgrade?
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.98.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... N/A
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... Airespace_01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 10.0.0.201
Last Reset....................................... Power on reset
System Up Time................................... 9 days 2 hrs 57 mins 21 secs
System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... Multiple Countries:US,CN,DE,TW,HK
Is the below Upgrade Path make sense ?
1. Upgrade the Primary controller and reboot- wait till all APs associate with primary controller and download the new image
2. Upgrade the secondary controller and reboot
3. Failover the APs to secondary controller and test
Siddhartha -
64bit vpn client issue /error :reason -442:failed to enable virtual adapter.
Hi All of you ,
I m using vpn client for windows64bit - file name - vpnclient-winx64-msi-5.0.07.0290-k9.exe and installing it on windows 2003 server .
But while connecting via vpn client to f/w , Virtual Adapter is taking the ip address but not connecting .getting error message on screen -
reason -442:failed to enable virtual adapter.
Is it possible some configuration or image issue from ASA as its first time we are trying to use 64bit OS , vpn client for 32bit OS working fine .
Below are the logs from vpn clinet when i tried to connect to ASA5520 . Version 7.0(8) -
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.2.3790 Service Pack 2
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 15:38:03.921 01/27/11 Sev=Info/4 CM/0x63100002
Begin connection process
2 15:38:03.937 01/27/11 Sev=Info/4 CM/0x63100004
Establish secure connection
3 15:38:03.937 01/27/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "203.199.30.190"
4 15:38:04.125 01/27/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
5 15:38:04.140 01/27/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
6 15:38:09.515 01/27/11 Sev=Info/4 CM/0x63100017
xAuth application returned
7 15:38:09.515 01/27/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
8 15:38:10.562 01/27/11 Sev=Info/4 CM/0x63100019
Mode Config data received
9 15:38:10.781 01/27/11 Sev=Warning/2 CVPND/0xE340002C
Unable to enable the 64-bit VA after timeout
10 15:38:10.781 01/27/11 Sev=Warning/3 CVPND/0xE3400029
The Client failed to enable the Virtual Adapter on 64-bit Windows
11 15:38:10.781 01/27/11 Sev=Warning/2 CM/0xE310000A
The virtual adapter failed to enable
12 15:38:10.781 01/27/11 Sev=Info/6 CM/0x6310003A
Unable to restore route changes from file.
13 15:38:10.781 01/27/11 Sev=Info/6 CM/0x63100037
The routing table was returned to original state prior to Virtual Adapter
14 15:38:10.859 01/27/11 Sev=Info/4 CM/0x63100035
The Virtual Adapter was disabled
15 15:38:10.859 01/27/11 Sev=Warning/2 IKE/0xE300009B
Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)
16 15:38:10.859 01/27/11 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2263)
17 15:38:11.546 01/27/11 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "Unknown". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
18 15:38:11.546 01/27/11 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 15:38:11.578 01/27/11 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
20 15:38:40.953 01/27/11 Sev=Info/4 CM/0x63100002
Begin connection process
21 15:38:40.953 01/27/11 Sev=Warning/2 CVPND/0xA3400019
Error binding socket: -21. (DRVIFACE:1234)
22 15:38:40.968 01/27/11 Sev=Info/4 CM/0x63100004
Establish secure connection
23 15:38:40.968 01/27/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "203.199.30.190"
24 15:38:41.156 01/27/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
25 15:38:41.171 01/27/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
26 15:39:08.031 01/27/11 Sev=Info/4 CM/0x63100017
xAuth application returned
27 15:39:08.046 01/27/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
28 15:39:09.093 01/27/11 Sev=Info/4 CM/0x63100019
Mode Config data received
29 15:39:09.312 01/27/11 Sev=Warning/2 CVPND/0xE340002C
Unable to disable the 64-bit VA after timeout
30 15:39:09.312 01/27/11 Sev=Warning/3 CVPND/0xE340002A
The Client failed to disable the Virtual Adapter on 64-bit Windows
31 15:39:19.937 01/27/11 Sev=Warning/3 CVPND/0xA340000D
The virtual adapter was not recognized by the operating system.
32 15:39:19.937 01/27/11 Sev=Warning/2 CM/0xE310000A
The virtual adapter failed to enable
33 15:39:19.937 01/27/11 Sev=Info/6 CM/0x6310003A
Unable to restore route changes from file.
34 15:39:19.937 01/27/11 Sev=Info/6 CM/0x63100037
The routing table was returned to original state prior to Virtual Adapter
35 15:39:20.109 01/27/11 Sev=Warning/2 CVPND/0xE340002C
Unable to disable the 64-bit VA after timeout
36 15:39:20.109 01/27/11 Sev=Warning/3 CVPND/0xE340002A
The Client failed to disable the Virtual Adapter on 64-bit Windows
37 15:39:20.281 01/27/11 Sev=Warning/2 CVPND/0xE340002C
Unable to disable the 64-bit VA after timeout
38 15:39:20.281 01/27/11 Sev=Warning/3 CVPND/0xE340002A
The Client failed to disable the Virtual Adapter on 64-bit Windows
39 15:39:20.578 01/27/11 Sev=Warning/2 CVPND/0xE340002C
Unable to disable the 64-bit VA after timeout
40 15:39:20.578 01/27/11 Sev=Warning/3 CVPND/0xE340002A
The Client failed to disable the Virtual Adapter on 64-bit Windows
41 15:39:20.953 01/27/11 Sev=Warning/2 CVPND/0xE340002C
Unable to disable the 64-bit VA after timeout
42 15:39:20.953 01/27/11 Sev=Warning/3 CVPND/0xE340002A
The Client failed to disable the Virtual Adapter on 64-bit Windows
43 15:39:21.437 01/27/11 Sev=Info/4 CM/0x63100035
The Virtual Adapter was disabled
44 15:39:21.437 01/27/11 Sev=Warning/2 IKE/0xE300009B
Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)
45 15:39:21.437 01/27/11 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2263)
46 15:39:22.046 01/27/11 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "Unknown". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
47 15:39:22.046 01/27/11 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
48 15:39:22.062 01/27/11 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
release notes for vpn client 64bit -
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp63537Hi Anisha ,
Exact version of OS is "Microsoft Windows Server 2003 x64" .
I need supported cisco vpn client for this OS .
=========
Thanx 4 reply .
Raj -
1. Even if you key in a password for the VPN client, putting the phone to sleep will cause the password to be cleared, requiring you to retype it the next time you start the client.
2. the only place to type alphanumerics in for the password is on the VPN setup screen, if you just slide the VPN switch to On, you are presented with a numbers only dial pad
3. The PPTP VPN client only recognizes maximum security, setting to either automatic or none will just hop back to maximum on save.
4. The network stack doesn't allow you to easily set up special DNS servers for the VPN connection (the equivalent under OS X is to go into System Preferences, Network and select the VPN (PPTP) adapter and enter the DNS information there.
Since we use VPN to secure our wireless network, that means our iPhone users are unable to use WiFi at the office.
iPhone Windows XP
Dell Optiplex GX620 Windows 2000
iPhone Windows 2000Scott,
You're correct (mostly). I've experienced the same issues and have tried to work around them as follows:
1) Use a numeric password for the VPN user account. Of course, you'll have to enter it each time (did they even test this?) but at least it works.
4) Depending on your VPN device you should be able to set the DNS addresses via that. I'm using a Cisco ASA and set the DNS via the Group Policy for the DefaultRAGroup.
The bottom line? iPhone and VPN are not friends. Moreover, the iPhone has no EAP support wireless authentication. I'm a huge Apple fan but that is just stupid. -
Vista VPN Client TrueVector Device Driver Issue
Hi,
I have an unresolved issue with the VPN Client v.5.0.01.0600 (Vista) on a Vista Home Premium System.
The client was successfully installed using admin privileges. But upon rebooting, the following error pops up:
<snip>
This driver is blocked due to compatibility issues...
Driver: TrueVector Device Driver
Publisher: Zone Labs, Inc.
</snip>
This error occurs immediately upon user logon and just pops up every minute or so.
I haven't seen anything about this problem in the release notes. Does anyone know what could cause it or/and how it can be resolved?
PS: Some norton security software (don't remember which one) was installed on this system. But I have removed it prior to the cisco vpn client installation.On Vista Beta2, the first time logs are enabled, Microsoft firewall would pop-up a dialog box to allow the IPSecLog process. To enable logging, please allow IPSecLog process. Log messages do not show up till the log file is touched.
In Vista Beta 2, the VPN Client is cannot detect that the VPN Client is already connected after user logs in. The workaround is Launch VPN Client. You will notice that the lock icon appears in taskbar. -
Windows 8 Cisco VPN Client Issue
I connect to several of my customers with the Cisco VPN Client Version 5.0.07.0290 and all has been working fine. In the last week, virtually every Windows 8 machine has stopped working. The client connects fine, shows it's connected, but if I go to Status -> Statistics it just shows 0 in the Bytes Received and Sent. The Bypassed and Discarded increases, but I am unable to reach any system. Does anyone know what causes this or how to resolve it? This is a HUGE problem for me as all of the work we do for our customers is via their VPNs. Every non-Windows 8 PC still works fine. And these Windows 8 PCs have been working fine until just the last week. Browsing through, I've seen posts with this same issue, but none related to Windows 8 recently. They are all Windows 7, and my Windows 7 machines are working flawlessly.
Someone help!
Thanks,
BrianHi Brian,
IPSEC client on Windows 8 machine is not supported.
Cisco VPN Client 5.0.07 supports the following Microsoft OSs:
•Windows 7 on x64 (64-bit)
•Windows 7 on x86 (32-bit) only
•Windows Vista on both x86 (32-bit) and x64
•Windows XP on x86
VPN Client does not support the Tablet PC 2004/2005; and Windows 2000, NT, 98, and ME.
VPN Client supports smart card authentication on Windows 7, Vista, and XP. However, VPN Client does not support the ST Microelectronics smart card Model ST23YL80, and smart cards from the same family.
VPN Client supports up to one Ethernet adapter and one PPP adapter. It does not support the establishment of a VPN connection over a tethered link.
VPN Client 5.0.x is incompatible with the combination of Cisco Unified Video Advantage 2.1.2 and McAfee HIPS Patch 4 Build 688. To avoid system failures, uninstall either of these two applications, upgrade McAfee to the latest version, or use VPN Client 4.6.x.
To install the VPN Client, you need
•Pentium®-class processor or greater
•Microsoft TCP/IP installed. (Confirm via Start > Settings > Control Panel > Network > Protocols or Configuration.)
•50 MB hard disk space.
•128 MB RAM
(256 MB recommended)
•Administrator privileges
The VPN Client supports the following Cisco VPN devices:
•Cisco Series 5500 Adaptive Security Appliance, Version 7.0 or later.
•Cisco VPN 3000 Series Concentrator, Version 3.0 or later.
•Cisco PIX Firewall, Version 6.2.2(122) or Version 6.3(1).
•Cisco IOS Routers, Version 12.2(8)T or later.
you can get more information from following link:-
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp63537
Regards,
Naresh
Maybe you are looking for
-
Running ITunes 10.6, on a Win7 Home Premium SP1. Just loaded about thirty of my favorite CD's on my user account. I would like to be able to make all of them available to my other family members in their accounts on my machine, without needing to rel
-
How to load an html file in Text Box using script?
Hi, does anyone know what is the sequence of commands for inserting an html file in a text object, if possible, via vbs? Unfortunately, I wasn't able to find the Commands and Variables for the text object (aka user object) in the help. Where I can se
-
How do I change the name next to the home icon in Snow Leopard
How do I change the name next to the home icon in Snow Leopard?
-
ORA-02289: sequence does not exist
Hi all. ORACLE Newbie alert! I am using TOAD for Oracle 8.6 The Oracle database version is BANNER Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production PL/SQL Release 9.2.0.6.0 - Production CORE 9.2.0.6.0 Production TNS for Solaris
-
Hi there I'm working on an FAPI client to translate text in Frame Documents. One of the first things we do is store the formatting for each paragraph, and then write it back out to the translated document. However, in one document I'm working on, whe