Re: Device failed SSL Handshake with client

MARCELO LOUREIRO · ‎11-09-2010

I am configuring SSL VPN Client for SCCP IP Phones in the CUCM 8.0.3 and I'm having problems with CA certificate.

Does anyone have any tips on how to solve.

I have the following scenario:

CUCM 8.0.3 -> ASA 5510 8.2(2)17 -> IP Phone VPN CP7942 9.0.3

I have the information below:

Nov 09 2010 15:45:01: %ASA-7-609001: Built local-host identity:1.0.0.1
Nov 09 2010 15:45:01: %ASA-6-302013: Built inbound TCP connection 2208 for Outside:1.0.0.4/49754 (1.0.0.4/49754) to identity:1.0.0.1/443 (1.0.0.1/443)
Nov 09 2010 15:45:01: %ASA-6-725001: Starting SSL handshake with client Outside:1.0.0.4/49754 for TLSv1 session.
Nov 09 2010 15:45:01: %ASA-7-725010: Device supports the following 5 cipher(s).
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[1] : DES-CBC3-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[2] : AES128-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[3] : AES256-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[4] : DES-CBC-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[5] : NULL-SHA
Nov 09 2010 15:45:01: %ASA-7-725008: SSL client Outside:1.0.0.4/49754 proposes the following 3 cipher(s).
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[1] : AES256-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[2] : AES128-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[3] : DES-CBC3-SHA
Nov 09 2010 15:45:01: %ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client Outside:1.0.0.4/49754
Nov 09 2010 15:45:01: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: tlsv1 alert unknown ca
Nov 09 2010 15:45:01: %ASA-6-725006: Device failed SSL handshake with client Outside:1.0.0.4/49754
Nov 09 2010 15:45:01: %ASA-6-302014: Teardown TCP connection 2208 for Outside:1.0.0.4/49754 to identity:1.0.0.1/443 duration 0:00:00 bytes 654 TCP FINs
Nov 09 2010 15:45:01: %ASA-7-609002: Teardown local-host identity:1.0.0.1 duration 0:00:00

ASA-LAB# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 663cd94c
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
Subject Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
Validity Date:
    start date: 10:19:50 BRDT Nov 9 2010
    end   date: 10:19:50 BRDT Nov 6 2020
Associated Trustpoints: ASDM_TrustPoint1

Certificate List in Callmanager 8.0.3

VPN-trust-list
CN=sslvpnphone.medidata.com.br,unstructuredName=sslvpnphone.medidata.com.br

ASA-LAB# show crypto ssl erro
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca@s3_pkt.c:1417# sh ver

ASA-LAB

Cisco Adaptive Security Appliance Software Version 8.2(2)17
Device Manager Version 6.2(5)53

Compiled on Wed 26-May-10 19:02 by builders
System image file is "disk0:/asa822-17-k8.bin"
Config file at boot was "startup-config"

ASA-LAB up 2 days 5 hours

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 8843.e195.18d6, irq 9
1: Ext: Ethernet0/1         : address is 8843.e195.18d7, irq 9
2: Ext: Ethernet0/2         : address is 8843.e195.18d8, irq 9
3: Ext: Ethernet0/3         : address is 8843.e195.18d9, irq 9
4: Ext: Management0/0       : address is 8843.e195.18d5, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 50
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 0
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Enabled
AnyConnect for Cisco VPN Phone : Enabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.
This platform has a time-based license that will expire in 16 day(s).

Serial Number: JMX1417L4S6

Running Activation Key: 0x251d3771 0x70e867ef 0xd10a6e12 0x7eac16c7 0xc060bbb7
Configuration register is 0x1
Configuration last modified by enable_15 at 17:55:37.563 BRDT Tue Nov 9 2010
ASA-LAB#

Yudong Wu · ‎11-10-2010

Do you have related CA cert in ASA?

SSL lib error. Function: SSL3_READ_BYTES Reason: tlsv1 alert unknown ca

MARCELO LOUREIRO · ‎11-11-2010

Hi,

Thank you for your attention to my case.

Yes, I generated the certificate on the ASA. I download the generated certificate to my PC and then upload to the CUCM. I saved the certficate in the Phone-Trust-list.

Do it´s necessary the CUCM be an identity CA?

Thanks,

Marcelo

Yudong Wu · ‎11-11-2010

So, you are using self-signed certificate on ASA and this cert has been imported to CUCM. Your CUCM can know the certificate of ASA.

But, in the other direction, you ASA need to understand CUCM's certificate, you need import the certificate of CA server who issued the certificate to CUCM into ASA.

MARCELO LOUREIRO · ‎11-11-2010

I inserted all the CAs certificates below and i still have problem.

What´s CUCM´s CA below I should use in the ASA?

Certificate List CUCM 8.0.3

Certificate Name Certificate Type .PEM File .DER File Description

tomcat certs tomcat.pem tomcat.der
ipsec certs ipsec.pem ipsec.der
tomcat-trust trust-certs CCM-LAB-8-0-3.pem CCM-LAB-8-0-3.der
ipsec-trust trust-certs CCM-LAB-8-0-3.pem CCM-LAB-8-0-3.der
CallManager certs CallManager.pem CallManager.der
CAPF certs CAPF.pem CAPF.der
TVS certs TVS.pem TVS.der
CallManager-trust trust-certs Cisco_Root_CA_2048.pem
CallManager-trust trust-certs CAP-RTP-001.pem
CallManager-trust trust-certs CAPF-30c3cc6e.pem
CallManager-trust trust-certs CAPF-0894ea72.pem
CallManager-trust trust-certs CAP-RTP-002.pem
CallManager-trust trust-certs Cisco_Manufacturing_CA.pem
CAPF-trust trust-certs Cisco_Root_CA_2048.pem
CAPF-trust trust-certs CAP-RTP-001.pem
CAPF-trust trust-certs CAPF-30c3cc6e.pem
CAPF-trust trust-certs CAPF-0894ea72.pem
CAPF-trust trust-certs CAP-RTP-002.pem
CAPF-trust trust-certs Cisco_Manufacturing_CA.pem
Phone-VPN-trust trust-certs ASA-LAB.medidata.com.br.pem ASA-LAB.medidata.com.br.der

CA Certificate
Status: Available
Certificate Serial Number: 51915a38b9fc4489
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Validity Date:
    start date: 10:07:51 BRDT Nov 5 2010
    end   date: 10:07:51 BRDT Nov 5 2015
Associated Trustpoints: ASDM_TrustPoint18

CA Certificate
Status: Available
Certificate Serial Number: 5c145c67e7170474
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Validity Date:
    start date: 10:07:39 BRDT Nov 5 2010
    end   date: 10:07:39 BRDT Nov 5 2015
Associated Trustpoints: ASDM_TrustPoint17

CA Certificate
Status: Available
Certificate Serial Number: 3eccc3cbc1ad95e9
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Validity Date:
    start date: 10:07:44 BRDT Nov 5 2010
    end   date: 10:07:44 BRDT Nov 5 2015
Associated Trustpoints: ASDM_TrustPoint16

CA Certificate
Status: Available
Certificate Serial Number: 68d835d5341f399d
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-30c3cc6e
Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-30c3cc6e
Validity Date:
    start date: 13:16:05 BRDT Oct 27 2010
    end   date: 13:16:05 BRDT Oct 27 2015
Associated Trustpoints: ASDM_TrustPoint11

CA Certificate
Status: Available
Certificate Serial Number: 49148926353dd91b
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-0894ea72
Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-0894ea72
Validity Date:
    start date: 10:07:48 BRDT Nov 5 2010
    end   date: 10:07:48 BRDT Nov 5 2015
Associated Trustpoints: ASDM_TrustPoint13 ASDM_TrustPoint12 ASDM_TrustPoint10

CA Certificate
Status: Available
Certificate Serial Number: 353fb24bd70f14a346c1f3a9ac725675
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Issuer Name:
    cn=CAP-RTP-002
    o=Cisco Systems
Subject Name:
    cn=CAP-RTP-002
    o=Cisco Systems
CRL Distribution Points:
    [1] http://cap-rtp-002/CertEnroll/CAP-RTP-002.crl
    [2] file://\\cap-rtp-002\CertEnroll\CAP-RTP-002.crl
Validity Date:
    start date: 17:18:49 BRST Oct 10 2003
    end   date: 18:27:37 BRDT Oct 10 2023
Associated Trustpoints: ASDM_TrustPoint9

CA Certificate
Status: Available
Certificate Serial Number: 7612f960153d6f9f4e42202032b72356
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Issuer Name:
    cn=CAP-RTP-001
    o=Cisco Systems
Subject Name:
    cn=CAP-RTP-001
    o=Cisco Systems
CRL Distribution Points:
    [1] http://cap-rtp-001/CertEnroll/CAP-RTP-001.crl
    [2] file://\\cap-rtp-001\CertEnroll\CAP-RTP-001.crl
Validity Date:
    start date: 21:27:13 BRDT Feb 6 2003
    end   date: 21:36:34 BRDT Feb 6 2023
Associated Trustpoints: ASDM_TrustPoint8

CA Certificate
Status: Available
Certificate Serial Number: 640e17a1b0663262
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
Validity Date:
    start date: 10:07:47 BRDT Nov 5 2010
    end   date: 10:07:47 BRDT Nov 5 2015
Associated Trustpoints: ASDM_TrustPoint7 ASDM_TrustPoint4

CA Certificate
Status: Available
Certificate Serial Number: 5ff87b282b54dc8d42a315b568c9adff
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Issuer Name:
    cn=Cisco Root CA 2048
    o=Cisco Systems
Subject Name:
    cn=Cisco Root CA 2048
    o=Cisco Systems
Validity Date:
    start date: 17:17:12 BRST May 14 2004
    end   date: 17:25:42 BRST May 14 2029
Associated Trustpoints: ASDM_TrustPoint19 ASDM_TrustPoint15 ASDM_TrustPoint6

Certificate
Status: Available
Certificate Serial Number: 1fa7d94c
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
    hostname=ASA-LAB.medidata.com.br
    cn=ASA-LAB.medidata.com.br
Subject Name:
    hostname=ASA-LAB.medidata.com.br
    cn=ASA-LAB.medidata.com.br
Validity Date:
    start date: 17:55:11 BRDT Nov 9 2010
    end   date: 17:55:11 BRDT Nov 6 2020
Associated Trustpoints: WEBVPN

CA Certificate
Status: Available
Certificate Serial Number: 6a6967b3000000000003
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Issuer Name:
    cn=Cisco Root CA 2048
    o=Cisco Systems
Subject Name:
    cn=Cisco Manufacturing CA
    o=Cisco Systems
CRL Distribution Points:
    [1] http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
    start date: 19:16:01 BRST Jun 10 2005
    end   date: 17:25:42 BRST May 14 2029
Associated Trustpoints: ASDM_TrustPoint14 ASDM_TrustPoint5 ASDM_TrustPoint2

Certificate
Status: Available
Certificate Serial Number: 663cd94c
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
Subject Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
Validity Date:
    start date: 10:19:50 BRDT Nov 9 2010
    end   date: 10:19:50 BRDT Nov 6 2020
Associated Trustpoints: ASDM_TrustPoint1

Certificate
Status: Available
Certificate Serial Number: 6dcbc94c
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
    hostname=sslvpn.medidata.com.br
    cn=sslvpn.medidata.com.br
Subject Name:
    hostname=sslvpn.medidata.com.br
    cn=sslvpn.medidata.com.br
Validity Date:
    start date: 17:13:49 BRDT Oct 28 2010
    end   date: 17:13:49 BRDT Oct 25 2020
Associated Trustpoints: ASDM_TrustPoint0

Yudong Wu · ‎11-11-2010

sorry, I might misunderstand the issue.

This is about SSL handshake between IP phone and ASA.

What kind of certificate are you using on IP phone?

MARCELO LOUREIRO · ‎11-12-2010

I'm using the IP Phone 7942 itself MIC Certificate.

Do I have to put this MIC certificate in the ASA?

Do I how download the MIC of IP Phone?

Yudong Wu · ‎11-12-2010

If using MIC certificate on IP Phone, you will need the following CA certificates which can be downloaded from Call Manager.

CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA.

From your last post, you have done this. I am not sure what else could be the issue. Can you open TAC case for a help.

adonyscruz · ‎02-14-2011

Any follow up on this? We are having exactly the same problem, thanks

derveniss · ‎06-09-2011

Any solution for this?

alexandre.logicalis · ‎01-24-2013

Try entering the command on firewall

Ssl trust-point interface trustpoint_id

where trustpoint_id is the certificate that you generated and exported from ASA to CUCM and interface through which the phone connects.

https://supportforums.cisco.com/docs/DOC-21469

Alexandre Alves

nielsw weel · ‎02-06-2013

It could also be that on device management - SSL Settings -> by the server only SSLv3 is selected and the Client is not supporting SSLv3 what is that case with the anyconnect client.

Hope this helps!

Regards,

Niels

Carl Duvall · ‎03-12-2015

I realize this is a little bit of a dated post, but I wanted to inform others who might stumble across this.

I had the same issue after renewing an expired certificate. I found the issue was with the VPN Gateway in CUCM. After I renewed the cert and uploaded to the ASA and CUCM, I had to manually go back in and reassociate it with the gateway I had created. After doing so, I applied the config to the phone I was working on, rebooted, and boom, it worked.

Thanks

Carl