10-27-2011 08:51 PM
Hi All,
I have been following the Cisco Virtual Office deployment guide closely.
Simple demo setup
1x Cisco 881G-W (as CVO)
1x Cisco 3845 (As Vpn headend)
1x Memo station
1x ACS 5.2 server
Probem statement:
User able to authenticate successfully via the Cisco ACS, but unable to get MEVO to push configuration to the Cisco 881G
Debug output
*Oct 28 01:32:30.225: CRYPTO_PKI: Identity selected (cvo-pki) for session 101C6
*Oct 28 01:32:30.229: CRYPTO_PKI: unlocked trustpoint cvo-pki, refcount is 0
*Oct 28 01:32:30.665: CRYPTO_WUI_TTI: received introduction get request.
*Oct 28 01:32:30.665: AAA/BIND(00000167): Bind i/f
*Oct 28 01:32:30.669: CRYPTO_WUI_TTI: checking AAA authentication (sdp-acs, user6)
*Oct 28 01:32:30.693: CRYPTO_WUI_TTI: aaa query ok!
*Oct 28 01:32:30.697: AAA/BIND(00000168): Bind i/f
*Oct 28 01:32:30.697: CRYPTO_WUI_TTI: building TTI av pairs from AAA attributes
*Oct 28 01:32:30.717: CRYPTO_WUI_TTI: Start template loaded from http://cvo-mevo/mevo/sdp/1-sdp_start.html
*Oct 28 01:32:30.729: CRYPTO_WUI_TTI: removing attr w/zero len value: TTIChallenge
*Oct 28 01:32:30.729: Attribute included for signature: TTIVersion
*Oct 28 01:32:30.729: Attribute value length: 3
*Oct 28 01:32:30.729: Attribute included for signature: TTIWelcomeTemplate
*Oct 28 01:32:30.729: Attribute value length: 8763
*Oct 28 01:32:30.729: CRYPTO_PKI: Identity selected (cvo-cs) for session 101C7
*Oct 28 01:32:30.765: CRYPTO_PKI: unlocked trustpoint cvo-cs, refcount is 0
*Oct 28 01:32:30.769: CRYPTO_WUI_TTI: Response mime type is text/html. So preprocessing avpairs, by base64 encoding them
*Oct 28 01:32:30.769: Before encoding: Attribute: TTISignature
*Oct 28 01:32:30.769: Before encoding: Attribute value length: 256
*Oct 28 01:32:30.769: After encoding: Attribute: TTISignature
*Oct 28 01:32:30.769: After encoding: Attribute value length: 350
*Oct 28 01:32:30.769: Before encoding: Attribute: TTIVersion
*Oct 28 01:32:30.769: Before encoding: Attribute value length: 3
*Oct 28 01:32:30.769: After encoding: Attribute: TTIVersion
*Oct 28 01:32:30.769: After encoding: Attribute value length: 5
*Oct 28 01:32:30.769: Before encoding: Attribute: TTIWelcomeTemplate
*Oct 28 01:32:30.769: Before encoding: Attribute value length: 8763
*Oct 28 01:32:30.769: After encoding: Attribute: TTIWelcomeTemplate
*Oct 28 01:32:30.769: After encoding: Attribute value length: 11867
*Oct 28 01:32:30.769: Before encoding: Attribute: TTISignCert
*Oct 28 01:32:30.769: Before encoding: Attribute value length: 1130
*Oct 28 01:32:30.769: After encoding: Attribute: TTISignCert
*Oct 28 01:32:30.769: After encoding: Attribute value length: 1532
*Oct 28 01:32:30.769: CRYPTO_WUI: Info: don't know how to expand $SDP here so leaving it in the template.
*Oct 28 01:32:30.769: CRYPTO_WUI: Info: no variable expansion due to non-alphanumeric char following '$': 0x2F [/]
*Oct 28 01:32:47.017: CRYPTO_WUI_TTI: received introduction post request.
*Oct 28 01:32:47.017: AAA/BIND(00000169): Bind i/f
*Oct 28 01:32:47.017: CRYPTO_WUI_TTI: checking AAA authentication (sdp-acs, user6)
*Oct 28 01:32:47.033: CRYPTO_WUI_TTI: aaa query ok!
*Oct 28 01:32:47.357: AAA/BIND(0000016A): Bind i/f
*Oct 28 01:32:47.357: CRYPTO_WUI_TTI: request_content_type = application/x-www-form-urlencoded
*Oct 28 01:32:47.365: Before decoding: Attribute: TTISignature
*Oct 28 01:32:47.365: Before decoding: Attribute value length: 356
*Oct 28 01:32:47.369: Before decoding: Attribute: TTIIosRunningConfig
*Oct 28 01:32:47.369: Before decoding: Attribute value length: 5760
*Oct 28 01:32:47.369: Before decoding: Attribute: TTIIosVersion
*Oct 28 01:32:47.369: Before decoding: Attribute value length: 2756
*Oct 28 01:32:47.369: Before decoding: Attribute: TTISignCert
*Oct 28 01:32:47.369: Before decoding: Attribute value length: 1374
*Oct 28 01:32:47.369: After decoding: Attribute: TTISignature
*Oct 28 01:32:47.369: After decoding: Attribute value length: 256
*Oct 28 01:32:47.369: After decoding: Attribute: TTIVersion
*Oct 28 01:32:47.369: After decoding: Attribute value length: 3
*Oct 28 01:32:47.369: After decoding: Attribute: TTIIosRunningConfig
*Oct 28 01:32:47.369: After decoding: Attribute value length: 4187
*Oct 28 01:32:47.369: After decoding: Attribute: TTIIosVersion
*Oct 28 01:32:47.369: After decoding: Attribute value length: 2002
*Oct 28 01:32:47.369: After decoding: Attribute: TTISignCert
*Oct 28 01:32:47.369: After decoding: Attribute value length: 998
*Oct 28 01:32:47.369: After decoding: Attribute: TTIKeyHash
*Oct 28 01:32:47.369: After decoding: Attribute value length: 32
*Oct 28 01:32:47.369: Sender version obtained
*Oct 28 01:32:47.369: Attribute included in signature: TTIVersion
*Oct 28 01:32:47.369: Attribute value length: 3
*Oct 28 01:32:47.369: Attribute included in signature: TTIIosRunningConfig
*Oct 28 01:32:47.369: Attribute value length: 4187
*Oct 28 01:32:47.369: Attribute included in signature: TTIIosVersion
*Oct 28 01:32:47.369: Attribute value length: 2002
*Oct 28 01:32:47.369: Attribute included in signature: TTIKeyHash
*Oct 28 01:32:47.369: Attribute value length: 32
*Oct 28 01:32:47.369: CRYPTO_PKI: Identity not specified for session 101C8
*Oct 28 01:32:47.369: CRYPTO_WUI_TTI: avpairs signed by serialNumber=FTX1447022D,hostname=ccp-router.yourdomain.com
*Oct 28 01:32:47.373: Signature verified
*Oct 28 01:32:47.373: CRYPTO_WUI_TTI: building TTI av pairs from AAA attributes
*Oct 28 01:32:47.389: CRYPTO_WUI_TTI: config_url - http://cvo-mevo/mevo/Configs/user6_Bootstrap.cfg
*Oct 28 01:33:03.389: CRYPTO_WUI: Open failed
*Oct 28 01:33:03.389: CRYPTO_WUI_TTI: Unknown error processing intro page
*Oct 28 01:33:03.389: CRYPTO_WUI_TTI: processing http action failed.
*Oct 28 01:33:03.401: CRYPTO_WUI: Info: don't know how to expand $SDP here so leaving it in the template.
*Oct 28 01:33:03.401: CRYPTO_WUI: Info: no variable expansion due to non-alphanumeric char following '$': 0x2F [/]
Cisco3845-GW#
Any advise greatly appreciated
10-28-2011 04:47 AM
J,
*Oct 28 01:32:47.389: CRYPTO_WUI_TTI: config_url - http://cvo-mevo/mevo/Configs/user6_Bootstrap.cfg
*Oct 28 01:33:03.389: CRYPTO_WUI: Open failed
Can you check if you can copy that file say to flash?
copy http://.... flash:
Looks like we're failing to fetch it for whatever reason.
M.
10-29-2011 03:59 AM
Cisco3845-GW#copy https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg flash:
Destination filename [user5_bootstrap.cfg]?
%Error opening https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg (I/O error)
Cisco3845-GW#copy https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg flash:
Destination filename [user5_bootstrap.cfg]?
%Error opening https://10.10.50.3/mevo/Configs/user5_bootstrap.cfg (I/O error)
10-29-2011 04:06 AM
Hi M,
Im working with J for this CVO. Above the the outcome for copy to flash:
cvo-mevo is with 10.10.50.3
10-29-2011 10:53 AM
Muhammad,
What this looks like from where I'm sitting (note that I do not know your setup and only have the info you provided me).
Is that the bootstrap config is not avilbale from router. The I/O error indicates that we got a problem very early in the connection. Maybe even we received RST to initial SYN.
What I would suggest to to check this out, first of all try going from HQ router subnt with your browser to tht URL.
If you're reciving it, good. Next step would be to perofrm packet capture while we try to to access it from router.
Marcin
10-29-2011 11:05 PM
Marcin,
Thanks for your reply.
From the same subnet as HQ router, I can access the bootstrap config once after i successful enter the authentication for MEVO server.
From perform packet capture using wireshark, I found out that:-
Header checksum: 0x0000 [incorrect,should be 0xXXXXX (maybe caused by "IP checksum offload"?)]
Please adviced.
10-30-2011 02:04 AM
Header checksum: 0x0000 [incorrect,should be 0xXXXXX (maybe caused by "IP checksum offload"?)]
This is not necessary bad. 1) You're running TCP/other offloading 2) You didn't capture full packets (edit: IP checksum is counted on packet header ;]) 3) Others...
So what is the flow when router requests this file as opposed to normal cient requesting this file?
Marcin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: