Re: PIX, remote access VPN, digital certificates issue.

bbailey1024 · ‎09-24-2004

Have myself a rather strange problem, and I can't seem to find the solution.

I've got a PIX 501 set up as a VPN server for remote access. Previously I've been using pre-shared keys and that's been working great. I thought I'd try to use digital certificates instead, but have run into a problem.

I'm using Windows 2003 server as the CA. Certificates for the PIX and the clients have been issued fine through SCEP. All certs are valid.

When I try to connect via Cisco's VPN client (4.0.5) the connection fails with only one ambiguous entry in the PIX's logs.

"404101: ISAKMP: Failed to allocate address for client from pool"

The ip local pool has been set up correctly, and works fine with preshared keys. Its worth noting that this error normally has the pool id at the end, but in this case does not.

Debugging crypto isakmp does not give any pertinent information. The only issue I've found is while debugging crypto ca. This is what I get:

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not decode router sub name.

CRYPTO_PKI: Certificate verified, chain status= 1

CRYPTO_PKI: Can not get name ava count

CRYPTO_PKI: can not get decoded name

Can not get name ava count

CRYPTO_PKI: Can not get name ava count

My only thoughts on this is that the PIX is not seeing the OU of the client's cert. Since the OU is used to define the vpngroup policy. If it doesn't see the OU, then the vpngroup address pool will not be used. This would account for the above isakmp error.

I've also found a workaround for the issue. If the following command is used the client does get an IP address, but no other vpngroup policy settings (ie dns-server, split-tunneling, etc).

"isakmp client configuration address-pool local vpn_pool outside"

This leads me to belive that the PIX is, for some reason, just not seeing the OU of the client's cert and tying it into the vpngroup policy.

All settings on the PIX seem fine. If I change over to preshared keys, then the VPN works without a problem. Here's the relevent portions of my config anyway in case I'm missing something. I've also attached the details of the PIX's cert as well as the client's cert.

Any ideas or suggestions would be most appreciated. :)

I've attached a txt file that contains relevent portions of my config, as well as some details about the client and PIX certificates.

owillins · ‎09-30-2004

Here is something I found from the error message decoder tool. The recommendation is to Use the ip local pool command to specify additional IP addresses for the pool.

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&index=all&locale=en&query=%25PIX-4-404101%3A+ISAKMP%3A+Failed+to+allocate+address+for+client+from+pool+&counter=0&paging=5&links=reference&sa=Submit

milan.kulik · ‎09-30-2004

Hi,

your PIX config expired already here, so I'm not able to download it.

But I noticed something interesting changing preshared keys to certificate authetnication on my PIX IPSec VPN:

It's necessary to use

isakmp identity hostname

in your PIX config while using certificates.

With isakmp identity address the connection fails.

See the recommendation

"If you are using RSA signatures as your authentication method in your IKE policies, we recommend that you set each participating peer's identity to hostname. Otherwise, the ISAKMP security association to be established during Phase 1 of IKE may fail."

in http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312

Regards,

Milan

bbailey1024 · ‎10-01-2004

Hi Milan, thanks for the advice. I recently rebuilt the entrie CA server. Went from Windows 2003 (Trial) to Windows 2000 Server. Soon as I did that I started getting different IKE errors (wouldn't get past Phase 1).

At this point I scavenged Cisco's site and found out about using hostname vs address when using certificates. Plugged that into the config and everything started working as it should.

I still don't know what the problem was with 2003 server...it was a trial edition so it might have had something to do with it.

Oh and my config says it expires in 2005.

Everything seems to be working fine now, thanks for the replies! :)

milan.kulik · ‎10-03-2004

Brian,

I was using Win2003 server trial edition with no problem.

I just looked to your config and the only difference was: I was not using ca subject-name ... command.

I was not able to use our production CA, because it's configured as Enterprise CA and PIX supports only Stand-alone CA. But this is another kind of problem.

Regarding you config expiration - my mistake and problem with my Netscape Downloader.

Best regards,

Milan

kmakoni · ‎10-22-2004

I have setup a Windows 2003 Enterprise CA with PIX and it works fine. You however need to use "isakmp identity hostname" when using certificates. I had the same problem until changed the isakmp identity from address to hostname..

Thanks

Kumbi

milan.kulik · ‎10-24-2004

Hi,

our MS specialist also told me there is a different situation when running Enterprise CA on Win2003 standard edition and enterprise edition...

Do you have any experience with Windows 2000 Enterprise CA and PIX?

That's what I'd need to make working.

Regards,

Milan