Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1469
Views
0
Helpful
6
Replies

Problem with Cisco Virtual Office

J_Vansen_S
Level 3
Level 3

‎10-27-2011 08:51 PM

Hi All,

I have been following the Cisco Virtual Office deployment guide closely.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/ns855/deployment_guide_c22-493157.html

Simple demo setup

1x Cisco 881G-W (as CVO)

1x Cisco 3845 (As Vpn headend)

1x Memo station

1x ACS 5.2 server

Probem statement:

User able to authenticate successfully via the Cisco ACS, but unable to get MEVO to push configuration to the Cisco 881G

Debug output

*Oct 28 01:32:30.225: CRYPTO_PKI: Identity selected (cvo-pki) for session 101C6

*Oct 28 01:32:30.229: CRYPTO_PKI: unlocked trustpoint cvo-pki, refcount is 0

*Oct 28 01:32:30.665: CRYPTO_WUI_TTI: received introduction get request.

*Oct 28 01:32:30.665: AAA/BIND(00000167): Bind i/f

*Oct 28 01:32:30.669: CRYPTO_WUI_TTI: checking AAA authentication (sdp-acs, user6)

*Oct 28 01:32:30.693: CRYPTO_WUI_TTI: aaa query ok!

*Oct 28 01:32:30.697: AAA/BIND(00000168): Bind i/f

*Oct 28 01:32:30.697: CRYPTO_WUI_TTI: building TTI av pairs from AAA attributes

*Oct 28 01:32:30.717: CRYPTO_WUI_TTI: Start template loaded from http://cvo-mevo/mevo/sdp/1-sdp_start.html

*Oct 28 01:32:30.729: CRYPTO_WUI_TTI: removing attr w/zero len value: TTIChallenge

*Oct 28 01:32:30.729: Attribute included for signature: TTIVersion

*Oct 28 01:32:30.729: Attribute value length: 3

*Oct 28 01:32:30.729: Attribute included for signature: TTIWelcomeTemplate

*Oct 28 01:32:30.729: Attribute value length: 8763

*Oct 28 01:32:30.729: CRYPTO_PKI: Identity selected (cvo-cs) for session 101C7

*Oct 28 01:32:30.765: CRYPTO_PKI: unlocked trustpoint cvo-cs, refcount is 0

*Oct 28 01:32:30.769: CRYPTO_WUI_TTI: Response mime type is text/html. So preprocessing avpairs, by base64 encoding them

*Oct 28 01:32:30.769: Before encoding: Attribute: TTISignature

*Oct 28 01:32:30.769: Before encoding: Attribute value length: 256

*Oct 28 01:32:30.769: After encoding: Attribute: TTISignature

*Oct 28 01:32:30.769: After encoding: Attribute value length: 350

*Oct 28 01:32:30.769: Before encoding: Attribute: TTIVersion

*Oct 28 01:32:30.769: Before encoding: Attribute value length: 3

*Oct 28 01:32:30.769: After encoding: Attribute: TTIVersion

*Oct 28 01:32:30.769: After encoding: Attribute value length: 5

*Oct 28 01:32:30.769: Before encoding: Attribute: TTIWelcomeTemplate

*Oct 28 01:32:30.769: Before encoding: Attribute value length: 8763

*Oct 28 01:32:30.769: After encoding: Attribute: TTIWelcomeTemplate

*Oct 28 01:32:30.769: After encoding: Attribute value length: 11867

*Oct 28 01:32:30.769: Before encoding: Attribute: TTISignCert

*Oct 28 01:32:30.769: Before encoding: Attribute value length: 1130

*Oct 28 01:32:30.769: After encoding: Attribute: TTISignCert

*Oct 28 01:32:30.769: After encoding: Attribute value length: 1532

*Oct 28 01:32:30.769: CRYPTO_WUI: Info: don't know how to expand $SDP here so leaving it in the template.

*Oct 28 01:32:30.769: CRYPTO_WUI: Info: no variable expansion due to non-alphanumeric char following '$': 0x2F [/]

*Oct 28 01:32:47.017: CRYPTO_WUI_TTI: received introduction post request.

*Oct 28 01:32:47.017: AAA/BIND(00000169): Bind i/f

*Oct 28 01:32:47.017: CRYPTO_WUI_TTI: checking AAA authentication (sdp-acs, user6)

*Oct 28 01:32:47.033: CRYPTO_WUI_TTI: aaa query ok!

*Oct 28 01:32:47.357: AAA/BIND(0000016A): Bind i/f

*Oct 28 01:32:47.357: CRYPTO_WUI_TTI: request_content_type = application/x-www-form-urlencoded

*Oct 28 01:32:47.365: Before decoding: Attribute: TTISignature

*Oct 28 01:32:47.365: Before decoding: Attribute value length: 356

*Oct 28 01:32:47.369: Before decoding: Attribute: TTIIosRunningConfig

*Oct 28 01:32:47.369: Before decoding: Attribute value length: 5760

*Oct 28 01:32:47.369: Before decoding: Attribute: TTIIosVersion

*Oct 28 01:32:47.369: Before decoding: Attribute value length: 2756

*Oct 28 01:32:47.369: Before decoding: Attribute: TTISignCert

*Oct 28 01:32:47.369: Before decoding: Attribute value length: 1374

*Oct 28 01:32:47.369: After decoding: Attribute: TTISignature

*Oct 28 01:32:47.369: After decoding: Attribute value length: 256

*Oct 28 01:32:47.369: After decoding: Attribute: TTIVersion

*Oct 28 01:32:47.369: After decoding: Attribute value length: 3

*Oct 28 01:32:47.369: After decoding: Attribute: TTIIosRunningConfig

*Oct 28 01:32:47.369: After decoding: Attribute value length: 4187

*Oct 28 01:32:47.369: After decoding: Attribute: TTIIosVersion

*Oct 28 01:32:47.369: After decoding: Attribute value length: 2002

*Oct 28 01:32:47.369: After decoding: Attribute: TTISignCert

*Oct 28 01:32:47.369: After decoding: Attribute value length: 998

*Oct 28 01:32:47.369: After decoding: Attribute: TTIKeyHash

*Oct 28 01:32:47.369: After decoding: Attribute value length: 32

*Oct 28 01:32:47.369: Sender version obtained

*Oct 28 01:32:47.369: Attribute included in signature: TTIVersion

*Oct 28 01:32:47.369: Attribute value length: 3

*Oct 28 01:32:47.369: Attribute included in signature: TTIIosRunningConfig

*Oct 28 01:32:47.369: Attribute value length: 4187

*Oct 28 01:32:47.369: Attribute included in signature: TTIIosVersion

*Oct 28 01:32:47.369: Attribute value length: 2002

*Oct 28 01:32:47.369: Attribute included in signature: TTIKeyHash

*Oct 28 01:32:47.369: Attribute value length: 32

*Oct 28 01:32:47.369: CRYPTO_PKI: Identity not specified for session 101C8

*Oct 28 01:32:47.369: CRYPTO_WUI_TTI: avpairs signed by serialNumber=FTX1447022D,hostname=ccp-router.yourdomain.com

*Oct 28 01:32:47.373: Signature verified

*Oct 28 01:32:47.373: CRYPTO_WUI_TTI: building TTI av pairs from AAA attributes

*Oct 28 01:32:47.389: CRYPTO_WUI_TTI: config_url - http://cvo-mevo/mevo/Configs/user6_Bootstrap.cfg

*Oct 28 01:33:03.389: CRYPTO_WUI: Open failed

*Oct 28 01:33:03.389: CRYPTO_WUI_TTI: Unknown error processing intro page

*Oct 28 01:33:03.389: CRYPTO_WUI_TTI: processing http action failed.

*Oct 28 01:33:03.401: CRYPTO_WUI: Info: don't know how to expand $SDP here so leaving it in the template.

*Oct 28 01:33:03.401: CRYPTO_WUI: Info: no variable expansion due to non-alphanumeric char following '$': 0x2F [/]

Cisco3845-GW#

Any advise greatly appreciated

Labels:
0 Helpful
6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-28-2011 04:47 AM

J, 

*Oct 28 01:32:47.389: CRYPTO_WUI_TTI: config_url - http://cvo-mevo/mevo/Configs/user6_Bootstrap.cfg
*Oct 28 01:33:03.389: CRYPTO_WUI: Open failed

Can you check if you can copy that file say to flash?

copy http://.... flash:

Looks like we're failing to fetch it for whatever reason.

M.

0 Helpful

remysyaku
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-29-2011 03:59 AM

Cisco3845-GW#copy https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg flash:

Destination filename [user5_bootstrap.cfg]?

%Error opening https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg (I/O error)

Cisco3845-GW#copy https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg flash:

Destination filename [user5_bootstrap.cfg]?

%Error opening https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg (I/O error)

0 Helpful

remysyaku
Level 1
Level 1
In response to remysyaku

‎10-29-2011 04:06 AM

Hi M,

Im working with J for this CVO. Above the the outcome for copy to flash:

cvo-mevo is with 10.10.50.3

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to remysyaku

‎10-29-2011 10:53 AM

Muhammad,

What this looks like from where I'm sitting (note that I do not know your setup and only have the info you provided me).

Is that the bootstrap config is not avilbale from router. The I/O error indicates that we got a problem very early in the connection. Maybe even we received RST to initial SYN.

What I would suggest to to check this out, first of all try going from HQ router subnt with your browser to tht URL.

If you're reciving it, good. Next step would be to perofrm packet capture while we try to to access it from router.

Marcin

0 Helpful

remysyaku
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-29-2011 11:05 PM

Marcin,

Thanks for your reply.

From the same subnet as HQ router, I can access the bootstrap config once after i successful enter the authentication for MEVO server.

From perform packet capture using wireshark, I found out that:-

Header checksum: 0x0000 [incorrect,should be 0xXXXXX (maybe caused by "IP checksum offload"?)]

Please adviced.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to remysyaku

‎10-30-2011 02:04 AM 

Header checksum: 0x0000 [incorrect,should be 0xXXXXX (maybe caused by "IP checksum offload"?)]

This is not necessary bad. 1) You're running TCP/other offloading 2) You didn't capture full packets (edit: IP checksum is counted on packet header ;]) 3) Others...

So what is the flow when router requests this file as opposed to normal cient requesting this file?

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents