02-17-2013 06:52 PM - edited 02-21-2020 06:42 PM
I've installed a cert from Go-Daddy and I have users that cant connect using the new cert. I've applied the cert to the vpn client. when attempting to connect I see the following in my logs:
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Also I noticed that the Trustpoint says not authenticated:
Cisco-VPN# sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Not authenticated.
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash sha
group 5
lifetime 86400
Any advice would help and thanks in advance.
02-17-2013 09:44 PM
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
It's what should happen and there's nothing unusual about that. Not all isakmp policies match on client and vpn-gateway, and client tries one after another untill it findes one that matches.
Also I noticed that the Trustpoint says not authenticated:
Cisco-VPN# sh crypto ca trustpoints
If you say that trustpoint is not authenticated i don't know how you could install your certificate in the ASA.
To install
cert from Go-Daddy
you should:
1. Authenticate trustpoint, i.e. install certificate of the CA, wich issued certificate to your ASA (client certificate), using:
crypto ca authenticate trustpoint TRUSTPOINT_NAME
2. Enroll for client certificate i.e. generate certificate request (optional), wich i assume you've already done, using:
crypto ca enroll trustpoint TRUSTPOINT_NAME
3. Import client certificate after CA signed it, or import pkcs#12 file (wich is not your case, i assume), using:
crypto ca import TRUSTPOINT_NAME
02-18-2013 07:24 AM
Andrew thanks for your reply and this makes thing a lot clearer for me. I see were the cert is installed on the ASA. So I don't know how the trustpoint was not installed during this. I will try to authenticate the TrustPoint and also would the enrollment url be listed int the cert below?
Cisco-VPN# sh cry ca certificates
Certificate
Status: Available
Certificate Serial Number: xxxxxxx
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Issuer Name:
serialNumber=xxxxxxxx
cn=Go Daddy Secure Certification Authority
ou=http://certificates.godaddy.com/repository
o=GoDaddy.com\, Inc.
l=Scottsdale
st=Arizona
c=US
Subject Name:
cn=Mc1.data.net
ou=Domain Control Validated
OCSP AIA:
URL:
CRL Distribution Points:
[1]
http://crl.godaddy.com/gds1-85.crl
Validity Date:
start date: 19:36:54 CST Feb 14 2013
end date: 19:36:54 CST Feb 14 2016
Associated Trustpoints: ASDM_TrustPoint0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide