Unable to load pkcs11 crypto engine support for TLS

handernach · ‎02-24-2011

Hello Guys,

I'm new here. I have the following problem. I did an IOS update on our catalyst 4510-R with Supervisor Engine V-10GE.

The old software image was 'cat4500-ipbasek9-mz.122-31.SGA9.bin' and the new is 'cat4500-ipbasek9-mz.122-54.SG1.bin'.

After the reload of the switch i've seen the following log message:

Unable to load pkcs11 crypto engine support for TLS

I think it would be useful to see the whole bootprocess, so here a cut-out of the logging:

*Feb 11 09:12:36.399: %C4K_REDUNDANCY-6-INIT: Initializing as ACTIVE supervisor
*Feb 11 09:12:42.871: Local Xaui 0 is TI
*Feb 11 09:12:42.871: Local Xaui 1 is TI
*Feb 11 09:12:56.571: Port Te1/1: X2 inserted: vendor: CISCO-HITACHICBL, p/n: HTR6833A, s/n: HCT10310341 , DOM capable, the hole supports monitoring
*Feb 11 09:12:58.751: Port Te1/2: X2 inserted: vendor: CISCO-HITACHICBL, p/n: HTR6833A, s/n: HCT10310358 , DOM capable, the hole supports monitoring
*Feb 11 09:13:01.967: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
*Feb 11 09:13:02.863: Unable to load pkcs11 crypto engine support for TLS
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 1 (WS-X4516-10GE S/N: JAE1041D9KJ Hw: 3.4) is online
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 3 (WS-X4148-RJ S/N: JAE1037B52H Hw: 3.3) is online
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 4 (WS-X4148-RJ S/N: JAE1037BB67 Hw: 3.3) is online
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 5 (WS-X4148-RJ S/N: JAE1037B52J Hw: 3.3) is online
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 6 (WS-X4148-RJ S/N: JAE1037B8R6 Hw: 3.3) is online
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 7 (WS-X4148-RJ S/N: JAE1037B50P Hw: 3.3) is online
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 8 (WS-X4148-RJ S/N: JAE1042DE6W Hw: 3.3) is online
*Feb 11 09:13:05.607: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 9 (WS-X4148-RJ S/N: JAE1042DGJ0 Hw: 3.3) is online
*Feb 11 10:13:06: %SYS-6-CLOCKUPDATE: System clock has been updated from 09:13:06 UTC Fri Feb 11 2011 to 10:13:06 MESZ Fri Feb 11 2011, configured from console by console.
*Feb 11 10:13:06: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:13:06 MESZ Fri Feb 11 2011 to 10:13:06 MESZ Fri Feb 11 2011, configured from console by console.
*Feb 11 10:13:09: %SYS-5-CONFIG_I: Configured from memory by console
*Feb 11 10:13:10: %SYS-5-RESTART: System restarted --
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 27-Jan-11 11:46 by prod_rel_team

The switch is working as expected, but I'm a little concerned about it and i would be glad to get a solution to this problem.

Philip Ratzsch · ‎04-05-2011

Heinz,

I've seen this error on other *k9 versions of the IOS and have likewise not seen any actual problems arise from it. While I wasn't able to find anything specific about the error message itself, PKCS stands for 'Public Key Cryptography Standards'; PKCS #11, as documented a bit in http://www.rsa.com/rsalabs/node.asp?id=2133 seems to be designed for use to a physical security token and probably won't ever come up in the majority of Cisco deployments.

Maybe this is either an incomplete crypto library being used or perhaps for that particular support to be loaded you have to be using more specialized Cisco hardware/different license/something else. Whatever the case, this is likely just a message some particular sub-module of the crypto library wasn't loaded but not necessarily a reflection of an actual problem.