cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22969
Views
0
Helpful
12
Replies

Device failed SSL Handshake with client

I am configuring SSL VPN Client for SCCP IP Phones in the CUCM 8.0.3 and I'm having problems with CA certificate.

Does anyone have any tips on how to solve.

I have the following scenario:

CUCM 8.0.3 -> ASA 5510 8.2(2)17 -> IP Phone VPN CP7942 9.0.3

I have the information below:

Nov 09 2010 15:45:01: %ASA-7-609001: Built local-host identity:1.0.0.1
Nov 09 2010 15:45:01: %ASA-6-302013: Built inbound TCP connection 2208 for Outside:1.0.0.4/49754 (1.0.0.4/49754) to identity:1.0.0.1/443 (1.0.0.1/443)
Nov 09 2010 15:45:01: %ASA-6-725001: Starting SSL handshake with client Outside:1.0.0.4/49754 for TLSv1 session.
Nov 09 2010 15:45:01: %ASA-7-725010: Device supports the following 5 cipher(s).
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[1] : DES-CBC3-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[2] : AES128-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[3] : AES256-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[4] : DES-CBC-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[5] : NULL-SHA
Nov 09 2010 15:45:01: %ASA-7-725008: SSL client Outside:1.0.0.4/49754 proposes the following 3 cipher(s).
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[1] : AES256-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[2] : AES128-SHA
Nov 09 2010 15:45:01: %ASA-7-725011: Cipher[3] : DES-CBC3-SHA
Nov 09 2010 15:45:01: %ASA-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client Outside:1.0.0.4/49754
Nov 09 2010 15:45:01: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: tlsv1 alert unknown ca
Nov 09 2010 15:45:01: %ASA-6-725006: Device failed SSL handshake with client Outside:1.0.0.4/49754
Nov 09 2010 15:45:01: %ASA-6-302014: Teardown TCP connection 2208 for Outside:1.0.0.4/49754 to identity:1.0.0.1/443 duration 0:00:00 bytes 654 TCP FINs
Nov 09 2010 15:45:01: %ASA-7-609002: Teardown local-host identity:1.0.0.1 duration 0:00:00


ASA-LAB#  show crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 663cd94c
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
  Subject Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
  Validity Date:
    start date: 10:19:50 BRDT Nov 9 2010
    end   date: 10:19:50 BRDT Nov 6 2020
  Associated Trustpoints: ASDM_TrustPoint1


Certificate List in Callmanager 8.0.3

VPN-trust-list
CN=sslvpnphone.medidata.com.br,unstructuredName=sslvpnphone.medidata.com.br


ASA-LAB#  show crypto ssl erro
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca@s3_pkt.c:1417# sh ver

ASA-LAB

Cisco Adaptive Security Appliance Software Version 8.2(2)17
Device Manager Version 6.2(5)53

Compiled on Wed 26-May-10 19:02 by builders
System image file is "disk0:/asa822-17-k8.bin"
Config file at boot was "startup-config"

ASA-LAB up 2 days 5 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 8843.e195.18d6, irq 9
1: Ext: Ethernet0/1         : address is 8843.e195.18d7, irq 9
2: Ext: Ethernet0/2         : address is 8843.e195.18d8, irq 9
3: Ext: Ethernet0/3         : address is 8843.e195.18d9, irq 9
4: Ext: Management0/0       : address is 8843.e195.18d5, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 50
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 0
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Enabled
AnyConnect for Cisco VPN Phone : Enabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.
This platform has a time-based license that will expire in 16 day(s).

Serial Number: JMX1417L4S6

Running Activation Key: 0x251d3771 0x70e867ef 0xd10a6e12 0x7eac16c7 0xc060bbb7
Configuration register is 0x1
Configuration last modified by enable_15 at 17:55:37.563 BRDT Tue Nov 9 2010
ASA-LAB#

12 Replies 12

Yudong Wu
Level 7
Level 7

Do you have related CA cert in ASA?

SSL lib error. Function: SSL3_READ_BYTES Reason: tlsv1 alert unknown ca

Hi,

Thank you for your attention to my case.

Yes, I generated the certificate on the ASA. I download the generated certificate to my PC and then upload to the CUCM. I saved the certficate in the Phone-Trust-list.


Do it´s necessary the CUCM be an identity CA?

Thanks,

Marcelo

So, you are using self-signed certificate on ASA and this cert has been imported to CUCM. Your CUCM can know the certificate of ASA.

But, in the other direction, you ASA need to understand CUCM's certificate, you need import the certificate of CA server who issued the certificate to CUCM into ASA.


I inserted all the CAs certificates below and i still have problem.

What´s CUCM´s CA below I should use in the ASA?


Certificate List  CUCM 8.0.3

Certificate Name Certificate Type .PEM File .DER File Description

tomcat certs tomcat.pem tomcat.der 
ipsec certs ipsec.pem ipsec.der 
tomcat-trust trust-certs CCM-LAB-8-0-3.pem CCM-LAB-8-0-3.der 
ipsec-trust trust-certs CCM-LAB-8-0-3.pem CCM-LAB-8-0-3.der 
CallManager certs CallManager.pem CallManager.der 
CAPF certs CAPF.pem CAPF.der 
TVS certs TVS.pem TVS.der 
CallManager-trust trust-certs Cisco_Root_CA_2048.pem  
CallManager-trust trust-certs CAP-RTP-001.pem  
CallManager-trust trust-certs CAPF-30c3cc6e.pem  
CallManager-trust trust-certs CAPF-0894ea72.pem  
CallManager-trust trust-certs CAP-RTP-002.pem  
CallManager-trust trust-certs Cisco_Manufacturing_CA.pem  
CAPF-trust trust-certs Cisco_Root_CA_2048.pem  
CAPF-trust trust-certs CAP-RTP-001.pem  
CAPF-trust trust-certs CAPF-30c3cc6e.pem  
CAPF-trust trust-certs CAPF-0894ea72.pem  
CAPF-trust trust-certs CAP-RTP-002.pem  
CAPF-trust trust-certs Cisco_Manufacturing_CA.pem  
Phone-VPN-trust trust-certs ASA-LAB.medidata.com.br.pem ASA-LAB.medidata.com.br.der


CA Certificate
  Status: Available
  Certificate Serial Number: 51915a38b9fc4489
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Validity Date:
    start date: 10:07:51 BRDT Nov 5 2010
    end   date: 10:07:51 BRDT Nov 5 2015
  Associated Trustpoints: ASDM_TrustPoint18

CA Certificate
  Status: Available
  Certificate Serial Number: 5c145c67e7170474
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Validity Date:
    start date: 10:07:39 BRDT Nov 5 2010
    end   date: 10:07:39 BRDT Nov 5 2015
  Associated Trustpoints: ASDM_TrustPoint17

CA Certificate
  Status: Available
  Certificate Serial Number: 3eccc3cbc1ad95e9
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Validity Date:
    start date: 10:07:44 BRDT Nov 5 2010
    end   date: 10:07:44 BRDT Nov 5 2015
  Associated Trustpoints: ASDM_TrustPoint16

CA Certificate
  Status: Available
  Certificate Serial Number: 68d835d5341f399d
  Certificate Usage: Signature
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-30c3cc6e
  Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-30c3cc6e
  Validity Date:
    start date: 13:16:05 BRDT Oct 27 2010
    end   date: 13:16:05 BRDT Oct 27 2015
  Associated Trustpoints: ASDM_TrustPoint11

CA Certificate
  Status: Available
  Certificate Serial Number: 49148926353dd91b
  Certificate Usage: Signature
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-0894ea72
  Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CAPF-0894ea72
  Validity Date:
    start date: 10:07:48 BRDT Nov 5 2010
    end   date: 10:07:48 BRDT Nov 5 2015
  Associated Trustpoints: ASDM_TrustPoint13 ASDM_TrustPoint12 ASDM_TrustPoint10

CA Certificate
  Status: Available
  Certificate Serial Number: 353fb24bd70f14a346c1f3a9ac725675
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=CAP-RTP-002
    o=Cisco Systems
  Subject Name:
    cn=CAP-RTP-002
    o=Cisco Systems
  CRL Distribution Points:
    [1]  http://cap-rtp-002/CertEnroll/CAP-RTP-002.crl
    [2]  file://\\cap-rtp-002\CertEnroll\CAP-RTP-002.crl
  Validity Date:
    start date: 17:18:49 BRST Oct 10 2003
    end   date: 18:27:37 BRDT Oct 10 2023
  Associated Trustpoints: ASDM_TrustPoint9

CA Certificate
  Status: Available
  Certificate Serial Number: 7612f960153d6f9f4e42202032b72356
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=CAP-RTP-001
    o=Cisco Systems
  Subject Name:
    cn=CAP-RTP-001
    o=Cisco Systems
  CRL Distribution Points:
    [1]  http://cap-rtp-001/CertEnroll/CAP-RTP-001.crl
    [2]  file://\\cap-rtp-001\CertEnroll\CAP-RTP-001.crl
  Validity Date:
    start date: 21:27:13 BRDT Feb 6 2003
    end   date: 21:36:34 BRDT Feb 6 2023
  Associated Trustpoints: ASDM_TrustPoint8

CA Certificate
  Status: Available
  Certificate Serial Number: 640e17a1b0663262
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Subject Name:
    c=BR
    st=RJ
    l=Rio de Janeiro
    o=Medidata
    ou=Matriz
    cn=CCM-LAB-8-0-3
  Validity Date:
    start date: 10:07:47 BRDT Nov 5 2010
    end   date: 10:07:47 BRDT Nov 5 2015
  Associated Trustpoints: ASDM_TrustPoint7 ASDM_TrustPoint4

CA Certificate
  Status: Available
  Certificate Serial Number: 5ff87b282b54dc8d42a315b568c9adff
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Subject Name:
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Validity Date:
    start date: 17:17:12 BRST May 14 2004
    end   date: 17:25:42 BRST May 14 2029
  Associated Trustpoints: ASDM_TrustPoint19 ASDM_TrustPoint15 ASDM_TrustPoint6

Certificate
  Status: Available
  Certificate Serial Number: 1fa7d94c
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    hostname=ASA-LAB.medidata.com.br
    cn=ASA-LAB.medidata.com.br
  Subject Name:
    hostname=ASA-LAB.medidata.com.br
    cn=ASA-LAB.medidata.com.br
  Validity Date:
    start date: 17:55:11 BRDT Nov 9 2010
    end   date: 17:55:11 BRDT Nov 6 2020
  Associated Trustpoints: WEBVPN

CA Certificate
  Status: Available
  Certificate Serial Number: 6a6967b3000000000003
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Subject Name:
    cn=Cisco Manufacturing CA
    o=Cisco Systems
  CRL Distribution Points:
    [1]  http://www.cisco.com/security/pki/crl/crca2048.crl
  Validity Date:
    start date: 19:16:01 BRST Jun 10 2005
    end   date: 17:25:42 BRST May 14 2029
  Associated Trustpoints: ASDM_TrustPoint14 ASDM_TrustPoint5 ASDM_TrustPoint2

Certificate
  Status: Available
  Certificate Serial Number: 663cd94c
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
  Subject Name:
    hostname=sslvpnphone.medidata.com.br
    cn=sslvpnphone.medidata.com.br
  Validity Date:
    start date: 10:19:50 BRDT Nov 9 2010
    end   date: 10:19:50 BRDT Nov 6 2020
  Associated Trustpoints: ASDM_TrustPoint1

Certificate
  Status: Available
  Certificate Serial Number: 6dcbc94c
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    hostname=sslvpn.medidata.com.br
    cn=sslvpn.medidata.com.br
  Subject Name:
    hostname=sslvpn.medidata.com.br
    cn=sslvpn.medidata.com.br
  Validity Date:
    start date: 17:13:49 BRDT Oct 28 2010
    end   date: 17:13:49 BRDT Oct 25 2020
  Associated Trustpoints: ASDM_TrustPoint0

sorry, I might misunderstand the issue.

This is about SSL handshake between IP phone and ASA.

What kind of certificate are you using on IP phone?

I'm using the IP Phone 7942 itself MIC Certificate.

Do I have to put this MIC certificate in the ASA?

Do I how download the MIC of IP Phone?

If using MIC certificate on IP Phone, you will need the following CA certificates which can be downloaded from Call Manager.

CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA.

From your last post, you have done this. I am not sure what else could be the issue. Can you open TAC case for a help.

adonyscruz
Level 4
Level 4

Any follow up on this? We are having exactly the same problem, thanks

derveniss
Level 1
Level 1

Any solution for this?

Try entering the command on firewall

     Ssl trust-point interface trustpoint_id

where trustpoint_id  is the certificate that you generated and exported from ASA to CUCM and interface through which the phone connects.

https://supportforums.cisco.com/docs/DOC-21469


Alexandre Alves

It could also be that on device management - SSL Settings -> by the server only SSLv3 is selected and the Client is not supporting SSLv3 what is that case with the anyconnect client.

Hope this helps!

Regards,

Niels

Carl Duvall
Level 1
Level 1

I realize this is a little bit of a dated post, but I wanted to inform others who might stumble across this.

 

I had the same issue after renewing an expired certificate.  I found the issue was with the VPN Gateway in CUCM.  After I renewed the cert and uploaded to the ASA and CUCM, I had to manually go back in and reassociate it with the gateway I had created.  After doing so, I applied the config to the phone I was working on, rebooted, and boom, it worked.

 

Thanks

Carl