11-05-2012 06:43 AM
hello,
we have an asa5510 8.4(4)3 and a problem with a root-certificate from the company-owned-CA (I don't know the product, no MS-CA)
the output of sh crypto ca certificate:
CA Certificate
Status: Available
Certificate Serial Number: 4d1a825bfxxx
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=Zertifizierungsstelle der xxx
ou=XXX
o=Bayerische xxx
l=Muenchen
st=Bayern
c=DE
Subject Name:
cn=Zertifizierungsstelle der Bayerischen company
ou=BVK
o=Bayerische company
l=Muenchen
st=Bayern
c=DE
CRL Distribution Points:
[1] http://aaa.crl
[2] http://bbb.crl
[3] http://ccc.crl
Validity Date:
start date: 12:07:29 CEDT Jul 20 2011
end date: 12:13:50 CEDT Jul 19 2041
Associated Trustpoints: TP-BVK-1
(some data removed or hidden)
a debug of "deb crypto ca 255; deb crypto ca messag 255; and deb crypto ca trans 255" shows following:
CERT-C: E ../cert-c/source/certobj.c(1295) : Error #72ah
CERT-C: E ../cert-c/source/certobj.c(719) : Error #72ah
CRYPTO_PKI: Failed to create name objects to compare cert DNs. status = 1834
CERT-C: E ../cert-c/source/certobj.c(1295) : Error #72ah
CERT-C: E ../cert-c/source/certobj.c(719) : Error #72ah
CRYPTO_PKI: can not set ca cert object (0x72a)CERT_API: Close session 0x407546a7 synchronously
the log shows:
%ASA-vpn-3-713109: IP = 109.43.0.100, Unable to process the received peer certificate
%ASA-vpn-3-713048: IP = 109.43.0.100, Error processing payload: Payload ID: 6
the certificates should be used for IPSEC-VPN-connection on IPhones.
for a test I tried to import the cert on a Windows-Machine to the Cisco IPSEC-Client, which failed with "Error39: Import failed"
any idea's???
Thank you
04-29-2015 08:04 AM
Hello Karl,
Have you found an answer back then to this problem? I have the same issue now using a client certificate via Cisco Anyconnect and we get the following errors on th ASA when this client tries to connect.
NRA-DCA-002# CERT_API: PKI session 0x3658b8a7 open Successful with type SSL
CERT-C: E ../cert-c/source/certobj.c(1516) : Error #701h
CERT-C: E ../cert-c/source/certobj.c(1528) : Error #72ah
CERT-C: E ../cert-c/source/certobj.c(874) : Error #72ah
CRYPTO_PKI: can not set ca cert object (0x72a)
SSL verify callback: Failed to add the ID cert to the PKI sessionCERT_API: Close session 0x3658b8a7 synchronously
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide