Troubleshooting SPA525 SSLVPN 'Failed to obtain WebVPN Cookie' error - Certificate issue

Brandon Turpin · ‎10-11-2011

Problem
Prerequisites
Troubleshooting
Delete and Rebuild Trustpoint

Problem:

When attempting to connect a SPA525G/G2 phone via SSLVPN to a UC500, the VPN doesn't establish and the following message is seen on the phone screen:

"Failed to obtain WebVPN Cookie"

One of the most common reasons for this is due to an issue with the SSL Certificate. This document is meant to help identify if there is a certificate issue and help resolve it.

Prerequisites:

SSLVPN Server is configured
SPA525G/G2 has been provisioned

Troubleshooting:

1. Try browsing to the UC500 webvpn portal with a browser:

https://<UC500 WAN IP Address>

2. If the page doesn't come up and you get a message like 'cannot display the webpage', then continue with Step 3.

3. Open CLI access to UC500.

4. Setup logging to the buffer and run the following debugs:

UC540(config)#no logging console UC540(config)#logging buffer 512000 debug UC540(config)#debug crypto pki mess UC540(config)#debug crypto pki trans UC540(config)#debug ssl openssl error

5. Try to browse to the UC500 webvpn portal with a browser again.

6. Run 'show log'. Check for logs similar to the following:

000295: Apr 28 18:46:04.699: CRYPTO_PKI: Identity selected (TP-self-signed-908968563) for session 10009 000296: Apr 28 18:46:04.699: opssl_SetPKIInfo entry 000297: Apr 28 18:46:04.699: CRYPTO_PKI: Identity selected (TP-self-signed-908968563) for session 2000A 000298: Apr 28 18:46:04.699: CRYPTO_PKI: Can not select private key 000299: Apr 28 18:46:04.699: CRYPTO_OPSSL: Can't find router private key 000300: Apr 28 18:46:04.699: CRYPTO_PKI: unlocked trustpoint TP-self-signed-908968563, refcount is 1 000301: Apr 28 18:46:04.703: CRYPTO_PKI: unlocked trustpoint TP-self-signed-908968563, refcount is 0

7. If you see messages like those above, there is an issue with the certificate used for SSLVPN.

Delete and Rebuild Trustpoint

1. Check webvpn configuration to see which trustpoint is being used:

UC540#sh run | se webvpn webvpn gateway SDM_WEBVPN_GATEWAY_1 ip address 172.16.1.10 port 443 ssl trustpoint TP-self-signed-908968563 inservice

2. Check configuration of the trustpoint. Please note the trustpoint name as we will use that in the future.

UC540#sh run | se trustpoint TP-self-signed-908968563 crypto pki trustpoint TP-self-signed-908968563 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-908968563 revocation-check none

3. Verify RSA keypairs exist for that trustpoint.

UC_540#sh cry key mypubkey rsa TP-self-signed-908968563 % Key pair was generated at: 04:22:18 EST Feb 7 2011 Key name: TP-self-signed-908968563 Key type: RSA KEYS Storage Device: private-config Usage: General Purpose Key Key is not exportable. Key Data: (redacted)

4. Delete the trustpoint.

UC540#conf t Enter configuration commands, one per line. End with CNTL/Z. UC540(config)#no crypto pki trustpoint TP-self-signed-908968563 % Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes % Be sure to ask the CA administrator to revoke your certificates.

5. Recreate the trustpoint using the previous configuration and adding the 'rsakeypair' command. Typically, we've seeing the 'rsakeypair' command missing, so we want to add it back. Note: When creating the trustpoint, it's easiest to use the same trustpoint name as was previously configured so you don't have to go back and check where it's referenced.

UC_540(config)#crypto pki trustpoint TP-self-signed-908968563 UC_540(ca-trustpoint)#enrollment selfsigned UC_540(ca-trustpoint)#subject-name cn=IOS-Self-Signed-Certificate-908968563 UC_540(ca-trustpoint)#revocation-check none UC_540(ca-trustpoint)#rsakeypair TP-self-signed-908968563 UC_540(ca-trustpoint)#exit UC_540(config)#

6. Enroll the trustpoint to generate a new certificate.

UC540(config)#crypto pki enroll TP-self-signed-908968563 % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created UC540(config)#end UC540#

7. Verify the certificate is created.

UC540#show crypto pki cert TP-self-signed-908968563 Router Self-Signed Certificate Status: Available Certificate Serial Number (hex): 02 Certificate Usage: General Purpose Issuer: hostname=UC540 cn=IOS-Self-Signed-Certificate-908968563 Subject: Name: UC540 hostname=UC540 cn=IOS-Self-Signed-Certificate-908968563 Validity Date: start date: 09:49:03 PST Oct 3 2011 end date: 16:00:00 PST Dec 31 2019 Associated Trustpoints: TP-self-signed-908968563

8. Test and verify you can browse to the UC500 webvpn portal.

9. If you now see the portal page, then check to verify if your phone can now connect.

apatterson · ‎10-17-2011

I'm receiving this webvpn cookie error on all my SPA525G(and G2) phones when using a phone load greater than 7.4.4. I'm actually terminating to an ASA5505 (and then registering to the UC500 behind it). These specific instructions do not translate to the ASA.

Does anyone know of a way to resolve this error on the ASA? Phone load 7.4.4 webvpn connects great. No higher load will work, though.

Allen Cook · ‎02-22-2012

I am using SSL to connect to an ASA5505 in front of an Asterisk server. 7.4.3 works fine but is two years old. Is there a solution?

focusonit · ‎02-28-2012

Perfect - thanks a Million!

We just had a power failure and although everything had been saved previously we had no VPN access afterwards. This document was easy to find and 100% on the money. Followed the instructions and we were up and running within minutes.

Thanks!

c.holloway · ‎07-10-2014

This error can be given to your phones for reasons totally unrelated to the certificate. I run into this when I try to connect a test phone to a SSL VPN on a particular port on my offices network (i'm not sure what it is about the port config that causes this problem) while it works on other ports.