1. Home
  2. Cisco Systems
  3. Certificate/Signature Authentication Error on ASA5500 and VPN client

Certificate/Signature Authentication Error on ASA5500 and VPN client

Hi, I got error message when I enabled Local Certificate Authority on ASA5500 and have client connect vpn using certificate. I don't know is there somebody encontered the same issue on ASA5500 local certificate authority services, what I have to check base on the error messages on ASA5500 and client end. Any input will great appreciate!

Thank you, Young.

ASA 5500 Debug Log

113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown 713903|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Error: Unable to remove PeerTblEntry 713902|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Removing peer from peer table failed, no match! 713050|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Connection terminated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A 713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received non-routine Notify message: Authentication failed (24) 713068|||Group = TestRemoteVPN, IP = RemoteClient-IP-Address, Received non-routine Notify message: Invalid signature (25) 717028|||Certificate chain was successfully validated with warning, revocation status was not checked. 717022|||Certificate was successfully validated. serial number: 02, subject name: cn=Tester. 302015|RemoteClient-IP-Address|Firewall-WAN-IP-Address|Built inbound UDP connection 3979 for WAN:RemoteClient-IP-Address/500 (RemoteClient- IP-Address/500) to NP Identity Ifc:Firewall-WAN-IP-Address/500 (Firewall-WAN-IP-Address/500)

Cisco VPN client log

1 Sev=Info/4 CERT/0x63600014 Cert (cn=Tester) verification succeeded. 2 Sev=Info/4 CM/0x63100002 Begin connection process 3 Sev=Info/4 CVPND/0xE3400001 Microsoft IPSec Policy Agent service stopped successfully 4 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 5 Sev=Info/4 CM/0x63100024 Attempt connection with server "Firewall-WAN-IP-Address" 6 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with Firewall-WAN-IP-Address. 7 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to Firewall-WAN-IP-Address 8 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 9 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 10 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = Firewall-WAN-IP-Address 11 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to Firewall- WAN-IP-Address 15 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = Firewall-WAN-IP-Address 16 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to Firewall-WAN-IP-Address 21 14:15:16.390 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address 22 14:15:16.390 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address 23 14:15:16.390 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (FRAG) to Firewall-WAN-IP-Address 24 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = Firewall-WAN-IP-Address 25 Sev=Info/4 IKE/0x63000014 RECEIVING ISAKMP OAK INFO *(HASH, NOTIFY:AUTH_FAILED) to Firewall- WAN-IP-Address 36 Sev=Warning/2 IKE/0xE30000A5 Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2202) 37 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=468FC2257E0280A0 R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED 38 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to Firewall-WAN-IP-Address 39 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=468FC2257E0280A0 R_Cookie=C574AD95D8C78A49) reason = DEL_REASON_IKE_NEG_FAILED 40 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "Firewall-WAN-IP-Address" because of "DEL_REASON_IKE_NEG_FAILED" 41 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 42 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection 43 Sev=Info/4 IKE/0x63000085 Microsoft IPSec Policy Agent service started successfully 44 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 45 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 46 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 47 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped
Reply to
Young
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.